Locky ransomware - a strain of Dridex - spreading via Word documents, security firms warn

Locky has already hit a hospital in the US, which had to pay $17,000 in Bitcoin to decrypt important data

A new strain of Dridex banking malware named "Locky" has already netted its creators a tidy sum. Locky has hit a hospital in the US, which had to pay $17,000 in bitcoin to decrypt important data, and security firms warn that it is spreading rapidly.

"Locky infections begin with a spam email," notes Heimdal Security, giving an example of one such email that it has analysed. "The content is in German and pretends to come from the Mpsmobile Team."

In spite of this particular example being in German, Palo Alto Networks says that most attacks have been on US targets.

"We observed approximately 446,000 sessions for this threat, over half of which targeted the United States (54 per cent)," says Palo Alto. "For comparison, the next most impacted countries, Canada and Australia, only accounted for another nine per cent combined."

Security firm Proofpoint adds that the attachment contains a malicious Word document that spreads Locky via macros, and that the perpetrators appear to be the as those behind Dridex - which has been blamed for the theft of £20m in the UK alone.

"While a variety of new ransomware has appeared since the end of 2015, Locky stands out because it is being delivered by the same actor behind many of the Dridex campaigns we have tracked over the past year."

Proofpoint continues: "The actors behind Locky are clearly taking a cue from the Dridex playbook in terms of distribution. Just as Dridex has been pushing the limits of campaign sizes, now we're seeing even higher volumes with Locky, rivalling the largest Dridex campaigns we have observed to date."

As with other ransomware, once activated Locky encrypts files including images, videos, source code and Office files on the infected machine and connected local networks before issuing a ransom demand for payment in bitcoin for them to be decrypted. In this case payment is requested via a site on the "dark web".

As well as the usual cautions against opening unsolicited emails and attachments, Sophos advises the installation of Microsoft Office viewers, which allow Office files to be scrutinised without activating macros.

"These viewer applications let you see what documents look like without opening them in Word or Excel itself. In particular, the viewer software doesn't support macros at all, so you can't enable macros by mistake," Sophos says.

Last month a ransomware attack took down Lincolnshire County Council's entire network for a number of days.