A new ransomware called Locky is making the rounds, encrypting its victims’ files and demanding several hundred Euros to unscramble them.
“Locky has failed to break our cloud detection – we’ve picked it up multiple times in the APC,” points out Stefan Kurtzhals of the Avira Protection Lab. “It is a good example of how well backend-only detection methods – where we analyze and detect malware in our Avira cloud instead of doing this directly in the users’ computer – work in comparison to the signature-type detections listed in VirusTotal.”
Kurtzhals is referring to the Avira Protection Cloud(APC) – our in-cloud technology for threat analysis and detection – and an integral part of our Antivirus solutions. With APC, Avira sends potentially dangerous binaries to our cloud for analysis. With detection taking place in the cloud backend, cybercriminals like the authors of Locky can’t directly see how we are doing this – or successfully use their battery of obfuscation tricks to circumvent detection.
Locky is striking over a geographically diverse area. From just one Locky sample, Avira has identified targeted computers in Germany, England/United States, Spain, Italy, and the Netherlands.
Locky is usually spread by emails with an attached Microsoft Word document. If Office macros are turned on, the malware installation starts once the document is opened. If the macros have been disabled, the malware gives the recipients a reminder that they really should enable them – and then goes to work.
“Even though Avira is detecting this, it is really important for users to use common sense and not click on suspicious attachments,” points out Kurtzhals. “Whether the specific malware is Locky or Dridex, this is a very common way to spread bad stuff around – think before you click.”