Most IT service providers that have any experience with IT security knew it was only a matter of time before a ransomware exploit wound up taking an organization's data hostage in a way with no known remediation. Taking advantage of the fact that most end users are still pretty naïve when it comes to IT security, hackers have developed “Locky” malware, which uses macros in a Word document to insert code in an IT environment that encrypts all of the data in that organization. The hacker then demands money, usually in the form of untraceable digital Bitcoin currency, in exchange for the keys needed to decrypt that data.
The best known case of Locky malware being used as “ransomware” involves the Hollywood Presbyterian Hospital, which was recently forced to pay roughly $17,000 to regain access to its data. Hackers tricked one of the hospital's employees into downloading an infected Word document that instructed that user to click on a portion of the document that activated the malware using Microsoft Office VBA macro programs embedded within it.
How to protect your customers from Locky
While there is no known defense against Locky malware yet, there are several measures that IT service providers can advise their customers to take. The first involves disabling macros in Word documents. While it’s not feasible to disable every macro, IT organizations can disable all macros that are not digitally signed. That doesn’t get rid of the malware itself, but it substantially limits the chances that an end user will accidentally activate it.
Once the infection is discovered, IT service providers can either take advantage of IT security software to remove it before it gets activated, or they can use snapshots to restore data volumes back to a point before the malware infected the system. That latter option may result in some loss of data, so the preferred option in most cases is to making hunting for Locky malware in order to remove it a high priority.
Uncovering a hidden threat
Of course, that’s no guarantee Locky malware won’t reappear. Because it counts on end users being fooled into downloading it, Locky malware is already installed on hundreds of thousands of machine. The perpetrators of this crime are simply waiting for the opportunity to strike their next unlucky victim.
That's why IT service providers need to stress IT security education for end users. All the IT security technology in the world is essentially powerless against malware that an end user deliberately downloads onto their machine. Unfortunately, hackers have become very sophisticated in using social engineering techniques to fool end users into thinking that one attachment or another is part of a legitimate business process. In a matter of a few clicks of a mouse an entire organization can be rapidly infected before anyone realizes it. Worse yet, that infection may actually have been lying dormant for months.
If there is any bright side to this mess, it's that Locky is drawing the kind of attention that most hackers don’t especially crave, and that makes it easier for IT service providers to have a long overdue conversation about IT security with clients who all too often think ransomware is something that happens to anyone but them.