Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Germany, France Hit Most by Locky Ransomware: Kaspersky

While it has been roughly two months since it was first spotted, the Locky ransomware has become a global threat, targeting users in 114 countries. While the threat has infected systems around the world, a heavy concentration of attacks have registered in Germany and France, Kaspersky Lab says.

While it has been roughly two months since it was first spotted, the Locky ransomware has become a global threat, targeting users in 114 countries. While the threat has infected systems around the world, a heavy concentration of attacks have registered in Germany and France, Kaspersky Lab says.

Data coming from the Kaspersky Security Network reveals that Germany has seen 3989 attacks and France registered 2372, while Kuwait was third in line, with 976 attacks. India (512), China (427), South Africa (220), and United States (188) follow, with Italy (128), Spain (105), and Mexico (92) rounding up top 10. 

Kaspersky Lab’s Fedor Sinitsyn, however, explains that these numbers show only cases where the actual Trojan-Ransom.Win32.Locky was detected, meaning that early-stage detections reported as malicious spam or malicious downloaders were not included in the report. Regardless, it offers a better understanding of Locky’s distribution around the world. As a reminder, these infections only represent those detected by Kaspersky Lab, not other vendors, so the numbers are certainly higher.

Initially distributed via malicious macros in Office documents, then via JavaScript-based attachments, Locky has recently appeared in exploit kits as well, showing that its operators are looking to expand as much as possible, fast. Recently, FireEye Labs researchers detected massive Locky spam email campaigns around the world, while Check Point noticed changes in Locky’s communication patterns.

After infecting a computer, the ransomware contacts the command and control (C&C) server, which replies with a public RSA-2048 key and infection ID. The malware then sends information about the language of the infected operating system, receives the ransom note, then starts encrypting files on local drives and network shares, deletes shadow copies, displays the ransom note, and then removes itself form the computer.

The fact that Locky operators target users in a broad range of geographies is also confirmed by the fact that the ransom payment page is available in more than two-dozen languages. Although displaying a typical ransomware behavior, Locky is the most active of them all, with no other ransomware attacking so many countries at once, Kaspersky Lab says.

Although a highly active threat, Locky can still be blocked before compromising computers by taking a series of preventive measures. While not guaranteed to proect against the threat, users can use an available vaccine to render their machine immune to Locky, and can stay safe by not opening attachments in emails from unknown sources. Users should always keep an updated anti-virus program on their computer, and keep their data backed up at all times.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.