Ransomware continues to be a serious threat to data security; in the last two weeks, a new player in the ransomware arena has arisen, and in a big way. Called “Locky”, it functions in a very similar manner to older ransomware strains, such as CryptoLocker or CryptoWall. Once it gets on a system, it silently encrypts all data files, rendering them unusable. Locky then leaves behind a message instructing the victim to go to an anonymized site and pay “ransom” to receive a decryption key.
While this sounds like typical ransomware, where Locky has differed are the targets they have gone after. In addition to typical home and office users, Locky recently infected a Los Angeles area hospital (Hollywood Presbyterian Medical Center). This led to their network becoming essentially unusable, with administration and processing coming to a halt. The hospital claims no personal data was lost, but it severely impacted their ability to function normally, with records being kept on pen and paper while cleanup and recovery occurred. What is most notable is that the hospital was unable to reverse this damage on their own; they instead paid the ransom of 40 bitcoins, or roughly $17,000, to receive the decryption key.
To see hackers going after hospitals should be highly concerning to everyone. People’s lives could have been at risk when critical data suddenly became unavailable. In addition, it’s estimated that since its origin in early February, Locky has been infecting around 90,000 PCs a day. But perhaps the most concerning thing about Locky and other ransomware, beyond the despicable motives of the hackers and the rapid rate of attack, is the fact that it is easily preventable, and yet so few people and companies manage to safeguard themselves appropriately.
Locky spreads by email, in the form of bogus emails claiming to have invoices attached. The attachments are Microsoft Word files. The Word files then have macros embedded, which are typically disabled in Word, so the file prompts the user to enable macros to be able to read the contents of the document. By enabling macros, this allows the file to execute code that leads to the infection. But let’s take a look at this: Locky requires the user to consciously run it, not once, but TWICE.
An email from an unknown sender, or containing an unexpected document, should always be viewed as suspicious. Even if the document gets opened, Word, by default, does not have macros enabled. So the file then prompts the user to enable macros. Both of these things should be giant red flags to any computer user. For one, you should always be cautious when reviewing emails from unknown senders, particularly if it contains an attachment. Secondly, a legitimate Word file will basically never ask to enable macros. By maintaining a sense of vigilance when opening emails, employees can prevent these types of attacks from happening in the first place.
Of course, if a virus such as Locky manages to get on a computer or network, it’s vital to have the IT resources to eliminate the infection and recover from it quickly, rather than having to pay a ransom to criminals. The hospital in L.A., for example, clearly had lapses in their IT strategy that allowed the virus to cripple their network and left them needing to pay the ransom as their only recourse. Proper anti-virus and firewall protection will help prevent these attacks, but if they manage to slip through, it’s equally important to have a backup strategy in place that allows for affected files to be recovered rapidly. Finally, having an IT staff that is aware of these issues and working to prevent them will help keep your business safe and secure. Wondering how secure your business is? Contact us today to talk about managed network security, managed backup and recovery, and how to best protect your network and data.