While it has been roughly two months since it was first spotted, the Locky ransomware has become a global threat, targeting users in 114 countries. While the threat has infected systems around the world, a heavy concentration of attacks have registered in Germany and France, Kaspersky Lab says.
Data coming from the Kaspersky Security Network reveals that Germany has seen 3989 attacks and France registered 2372, while Kuwait was third in line, with 976 attacks. India (512), China (427), South Africa (220), and United States (188) follow, with Italy (128), Spain (105), and Mexico (92) rounding up top 10.
Kaspersky Lab’s Fedor Sinitsyn, however, explains that these numbers show only cases where the actual Trojan-Ransom.Win32.Locky was detected, meaning that early-stage detections reported as malicious spam or malicious downloaders were not included in the report. Regardless, it offers a better understanding of Locky’s distribution around the world. As a reminder, these infections only represent those detected by Kaspersky Lab, not other vendors, so the numbers are certainly higher.
Initially distributed via malicious macros in Office documents, then via JavaScript-based attachments, Locky has recently appeared in exploit kits as well, showing that its operators are looking to expand as much as possible, fast. Recently, FireEye Labs researchers detected massive Locky spam email campaigns around the world, while Check Point noticed changes in Locky’s communication patterns.
After infecting a computer, the ransomware contacts the command and control (C&C) server, which replies with a public RSA-2048 key and infection ID. The malware then sends information about the language of the infected operating system, receives the ransom note, then starts encrypting files on local drives and network shares, deletes shadow copies, displays the ransom note, and then removes itself form the computer.
The fact that Locky operators target users in a broad range of geographies is also confirmed by the fact that the ransom payment page is available in more than two-dozen languages. Although displaying a typical ransomware behavior, Locky is the most active of them all, with no other ransomware attacking so many countries at once, Kaspersky Lab says.
Although a highly active threat, Locky can still be blocked before compromising computers by taking a series of preventive measures. While not guaranteed to proect against the threat, users can use an available vaccine to render their machine immune to Locky, and can stay safe by not opening attachments in emails from unknown sources. Users should always keep an updated anti-virus program on their computer, and keep their data backed up at all times.