Locky Ransomware, Unlocked

locked computer keyboardA new form of ransomware (malicious software that locks access to files until a ransom is paid) titled “Locky” has been affecting workstations at an alarming rate over the past few weeks.  It can encrypt virtually every commonly used file-type not only on your computer’s hard drive, but network drives as well.

Systems are being infected with this ransomware by spam emails carrying an attached Microsoft Word document that contains a malicious macro (a small application utilized by software). Macros are not always malicious, but Microsoft products disable macros by default as a security precaution. Upon opening this particular word document, Locky install on your system and start running if you have macros enabled on your computer. If macros are not already enabled on your computer, you’ll be prompted to enable them.

If you have opened a suspicious Word document and suspect your computer has been infected, do not enable macros if prompted and unplug your network cable right away. Fire Pixel encourages you to contact our techs to make sure your system has not been compromised. Just take a screen shot of the email and forward that screen shot to sam@firepixel.com (cc: jeremy@firepixel.com).  Please do not forward the actual email.  After sending the screen shot, delete the suspicious email to minimize the risk spreading the infection, and we will investigate.

The best way to protect your files from Locky is to prevent infection from happening in the first place. Fire Pixel recommends that you disable all macros in Microsoft Word.  You can do this by following the steps below, or you may contact us to schedule a time when we can configure your equipment’s security settings for you.

Disable Macros: To disable macros in Microsoft Word, go to the “Trust Center” and select the setting to “Disable all macros without notification,” which will simply block the ability to use macros without prompting you to enable them:

Unknown

Install Anti-Malware: We recommend installing Malwarebytes.  Below is a how to install the software and run Malwarebytes scans.  An administrative username/password might be necessary.

  1. You can download Malwarebytes Anti-Malware here: MALWAREBYTES ANTI-MALWARE DOWNLOAD LINK (This is the free version)

  2. Once downloaded, close any open programs.  Then double-click on the icon on your desktop named “mbam-setup-2.0.exe” to start the installation of Malwarebytes Anti-Malware.

    Unknown

    Unknown-1 You may be presented with a User Account Control dialog asking you if you want to run this file. If this happens, click “Yes” to continue with the installation.

  3. When the installation begins, you will see the Malwarebytes Anti-Malware Setup Wizard which will guide you through the installation process.

    Unknown-2

    To install Malwarebytes Anti-Malware on your machine, keep following the prompts by clicking the “Next” button.  Make sure to uncheck “Enable free trial of Malwarebytes Anti-Malware Premium” if you do not want to run a trial of the paid version of the software.

    Unknown-1

  4. Once installed, Malwarebytes Anti-Malware will automatically start. You will see a message stating that you should update the program, and that a scan has never been run on your system before. To start a system scan you can click on the “Fix Now” button.

    Unknown-3

    Alternatively, you can click on the “Scan” tab and select “Threat Scan“, then click on the “Scan Now” button.

    Unknown-4

  5. Malwarebytes Anti-Malware will now check for updates, and if there are any, you will need to click on the “Update Now” button.

    Unknown-6

  6. Malwarebytes Anti-Malware will now start scanning your computer for malware. When the software is scanning, the screen will look like the image below.

    Unknown-7

  7. When the scan has completed, you will now be presented with a list of any malware infections that Malwarebytes Anti-Malware has detected. To remove these malicious programs, click on the “Quarantine All” button, and then click the “Apply Now” button.

    Unknown-8

    Please note that the infections found may be different than what is shown in the above image.

  8. Malwarebytes Anti-Malware will now quarantine all the malicious files and registry keys that were found. When removing the files, a reboot of your computer may be required in order to remove some of them. If a message is displayed stating that a reboot is needed, please allow Malwarebytes Anti-Malware to reboot the computer.

    Unknown-9

    After your computer restarts, you should open Malwarebytes Anti-Malware and perform another “Threat Scan” scan to verify that there are no remaining threats.