How is this being distributed?
Operations6 tweeted that this campaign is being distributed through phishing emails with Excel email attachments that contain macros to download and install Locky.
We’ve been warning about this very popular method of delivering ransomware for the past several months. We’ve even put together a macros warning screen guide to show you the most common examples we see so you know what to watch out for when a phishing email like this lands in your inbox.
The name of the sheet in this particular campaign is called Лист1, a probable indication that the developers are located in Russia or the Ukraine. If a user actually opens the doc they get a blank screen with a prompt to enable macros.
Of course the attachments have important sounding names containing the word ‘Invoice’ to really try and get users interested enough to find out what’s in the attachment and enable the macros.
Once the macros are enabled it’s too late. A VBA macro is triggered that downloads a DLL (Dynamic-link library, Microsoft’s shared library concept) file and executes it using Rundll32.exe.
That DLL file is then downloaded into the %Temp% folder and gets renamed with an extension such as .spe rather than the usual .dll extension. The DLL file is subsequently executed using legitimate Windows program Rundll32.exe and installs Locky ransomware onto the computer.
See the details from Larry Abrams at Bleeping Computer for the results of a sample he ran.
Once files have all been encrypted, Locky displays its ransom notes, see an example below. Currently the price for file recovery is about 2.5 Bitcoins (~$1880).
What to do about Locky
At this time unfortunately there is still no known free decryption method for the Locky ransomware variant. This would be where those weapons-grade backups we’re always talking about would save the day. Locky does try to erase Shadow Volume Copies although in some cases that fails, so it is possible to restore your encrypted files from Shadow Volume Copies if you’re lucky.