Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Germany, France Hit Most by Locky Ransomware: Kaspersky

While it has been roughly two months since it was first spotted, the Locky ransomware has become a global threat, targeting users in 114 countries. While the threat has infected systems around the world, a heavy concentration of attacks have registered in Germany and France, Kaspersky Lab says.

While it has been roughly two months since it was first spotted, the Locky ransomware has become a global threat, targeting users in 114 countries. While the threat has infected systems around the world, a heavy concentration of attacks have registered in Germany and France, Kaspersky Lab says.

Data coming from the Kaspersky Security Network reveals that Germany has seen 3989 attacks and France registered 2372, while Kuwait was third in line, with 976 attacks. India (512), China (427), South Africa (220), and United States (188) follow, with Italy (128), Spain (105), and Mexico (92) rounding up top 10. 

Kaspersky Lab’s Fedor Sinitsyn, however, explains that these numbers show only cases where the actual Trojan-Ransom.Win32.Locky was detected, meaning that early-stage detections reported as malicious spam or malicious downloaders were not included in the report. Regardless, it offers a better understanding of Locky’s distribution around the world. As a reminder, these infections only represent those detected by Kaspersky Lab, not other vendors, so the numbers are certainly higher.

Initially distributed via malicious macros in Office documents, then via JavaScript-based attachments, Locky has recently appeared in exploit kits as well, showing that its operators are looking to expand as much as possible, fast. Recently, FireEye Labs researchers detected massive Locky spam email campaigns around the world, while Check Point noticed changes in Locky’s communication patterns.

After infecting a computer, the ransomware contacts the command and control (C&C) server, which replies with a public RSA-2048 key and infection ID. The malware then sends information about the language of the infected operating system, receives the ransom note, then starts encrypting files on local drives and network shares, deletes shadow copies, displays the ransom note, and then removes itself form the computer.

The fact that Locky operators target users in a broad range of geographies is also confirmed by the fact that the ransom payment page is available in more than two-dozen languages. Although displaying a typical ransomware behavior, Locky is the most active of them all, with no other ransomware attacking so many countries at once, Kaspersky Lab says.

Although a highly active threat, Locky can still be blocked before compromising computers by taking a series of preventive measures. While not guaranteed to proect against the threat, users can use an available vaccine to render their machine immune to Locky, and can stay safe by not opening attachments in emails from unknown sources. Users should always keep an updated anti-virus program on their computer, and keep their data backed up at all times.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.