Juha Saarinen is a tech blogger for nzherald.co.nz.

Juha Saarinen: 'Locky' ransomware strikes

7 comments
Ransomware is a sobering reminder of how fragile our business and personal IT systems are - and what a pain it is if you're locked out of them. Photo / iStock
Ransomware is a sobering reminder of how fragile our business and personal IT systems are - and what a pain it is if you're locked out of them. Photo / iStock

Last week, the Whanganui District Health Board was hit by the Locky ransomware, one in a long list of attacks where digital bandits go after soft targets.

I still come across people who complain about their computers being slow because "they're full of viruses", but carry on using the devices nevertheless. No chance of that with ransomware, which you can't ignore as it locks you out of your computer.

Ransomware is getting worse as well, as writers take their evil work seriously.

READ MORE:
Juha Saarinen: When IT security gets a hospital pass
Juha Saarinen: What's your Internet banking username and password?
Juha Saarinen: A safer internet? Not going to happen

Locky for instance not only encrypts files locally, the malware also traverses folders and directories shared over a network and attempts to scramble data on those.

Although Locky runs on Windows, this "feature" means data stored on computers running Apple OS X and Linux that's shared over a network can be encrypted.

Then, to tighten the thumbscrews a bit more, Locky encrypts Bitcoin wallet files too - that's presumably to encourage users who have more in the Bitcoin wallets than the ransom demanded to pay up.

As a coup de grâce, Locky also deletes a very useful feature on newer versions of Windows, Volume Shadow Copy snapshots that could be otherwise be used to go back to earlier copies of files that haven't been encrypted.

Speaking of shadow copies, they could still save the day even if they are deleted.

Some users report that they've succeeded going back to older, unencrypted versions of the Locky-scrambled files, by restoring the shadow copies (remember, files on hard disks are only marked as being deleted so that they can be overwritten by other data, and not actually physically removed).

What's important here is to stop working as soon as a ransomware infection is detected, so that data marked as deleted and which could help you restore files, isn't overwritten.

Locky uses ye olde Office macros, a programming language for Microsoft's productivity suite that's powerful and which has been thoroughly abused by malware writers for the past two decades.

Office macro malware actually considered a thing of the past, but thanks to Locky, that particular scourge which is usually spread via email attachments has made a comeback.

If you do need to open Office documents sent to you, read Microsoft's recommendations on how to avoid catching Locky first. I would add to that, back up often to multiple locations, and be extremely careful about opening any type of attachment, even from people you know.

Whatever you do, don't pay the ransom if Locky or other malware hits.

First, it's far from guaranteed that the criminals will send you a key, or one that works. New ransomware is often copy and paste jobs derived from older malware, with bits added, and even if you get the correct key, the decryption code could be be buggy.

Second, giving in to blackmailers will only encourage others.

Unfortunately, the ransomware problem is likely to get worse. The malware writers target low-hanging fruit here, with computer users being conditioned - through no fault of their own - to trust certain things like Office attachments, as part of their job.

What's particularly bad is that the ransomware criminals seem to target vulnerable organisations like hospitals. It's a safe guess here that ransomware rogues have worked out that health institutions don't have the latest and greatest software, meaning nasties like Locky can slip through the cracks in defences that newer systems don't have.

It's also harder to stand firm as a health provider, and not pay the ransom.

The Hollywood Presbyterian Hospital in Los Angeles caved in, and paid NZ$25,500 in Bitcoins earlier in February to get access to their files again.

Luckily, it appears to have worked, but I'm glad I didn't have to make that decision.

Ransomware is a sobering reminder of how fragile our business and personal IT systems are - and what a pain it is if you're locked out of them. Sit down and work out how much a ransomware attack would cost you, and compare that to setting up a disaster recovery strategy.

My bet is that the latter option will be the cheapest by far.

Debate on this article is now closed.

- NZ Herald

Get the news delivered straight to your inbox

Receive the day’s news, sport and entertainment in our daily email newsletter

SIGN UP NOW
Juha Saarinen is a tech blogger for nzherald.co.nz.

Juha Saarinen is a technology journalist and writer living in Auckland. Apart from contributing to the New Zealand Herald over the years, he has written for the Guardian, Wired, PC World, Computerworld and ITnews Australia, covering networking, hardware, software, enterprise IT as well as the business and social aspects of computing. A firm believer in the principle that trying stuff out makes you understand things better, he spends way too much time wondering why things just don’t work.

Read more by Juha Saarinen

Sort by
  • Oldest

© Copyright 2017, NZME. Publishing Limited

Assembled by: (static) on production apcf05 at 01 May 2017 11:41:06 Processing Time: 497ms