Wednesday, April 26, 2017

Locky Ransomware Is Back!!!

Researchers have observed, a new wave of spam messages that comes with emails spoofing payment receipts with various subjects, like "Receipt 435," "Payment Receipt 2724," "Payment-2677," and so on. The email contains PDF attachments with non-descriptive names like P72732.pdf which prompts the user to open an embedded Word document. Once opened, the word document asks the user to enable macros. Enabling the macro unleashes Locky malware code which is downloaded, decrypted, and saved to %Temp%\redchip2.exe. The malware is then executed and the files on victim’s computer are rapidly encrypted and saved with .OSIRIS extension. A ransom note is displayed on the victim machine instructing them to download and install Tor and to go to a certain address and make Bitcoin payment. Since the malicious word doc is embedded in the PDF attachment, it makes it easier to evade detection.

Best Practice:
Keeping a backup of the data is first and foremost step. Keeping the security patches updated will helpful in combating this kind of attack.

post made by

No comments:

Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...