One thing that is driving mainstream recognition of ransomware is the move by the Dridex banking Trojan gang into ransomware with their Locky strain. They have taken over from CryptoWall, which from their perspective is just an upstart. Locky was linked to the notorious Dridex gang by both Palo Alto Networks and Proofpoint. The Russian Dridex criminal group is the most prominent operating banking malware.
The Dridex Locky ransomware strain isn’t more sophisticated than other latest generation crypto-ransom malware, but it is rapidly spreading to victim systems. Forbes claims that Locky is infecting approximately 90,000 systems per day and that it typically asks users for 0.5-1 Bitcoin (~420 dollars) to unlock their systems. Locky is disseminated through phishing emails containing Microsoft Word attachments. Each binary of Locky is reportedly uniquely hashed; consequently, signature-based detection is basically impossible.
The Dridex gang is the 800-pound gorilla in banking Trojans. Apparently they have seen the profit potential of ransomware and leveraged their extensive criminal infrastructure to get their Locky strain infecting as many machines as possible. Consequently, financial institutions are likely the next major sector to be actively targeted. The FBI just stated that the threat from ransomware is expected to grow, as per an article in the Wall Street Journal.
Five Things To Do About It
- Block any and all emails with .zip extensions and/or macros at your email gateway level.
- Disable Adobe Flash Player, Java and Silverlight if possible. These are used as attack vectors.
- Step all employees through effective security awareness training, so they can recognize the red flags related to ransomware attacks.
- Print out this free job aid, laminate it, and hand it out to employees so they can pin it on their wall.
- Do a Phishing Security Test on your users and find out if they are going to click on something they shouldn’t. Get started here: