Believed to be distributed through the same botnet that once spammed users with the Dridex trojan, Locky shares information about the infected system with the ransomware authors once it connects to a command and control (C&C) server. The malware then encrypts all files that contain common file extensions found on the hard drive and adds .LOCKY as the new extension.
When the encryption process is complete, Locky replaces the computer’s background with a ransom note, which includes a link to a website accessible only via the Tor browser. There the victim is asked to penny up 0.5 BTC (approximately US$200) for a decryption key that can restore their files.
Locky is the same ransomware that caused the Hollywood Presbyterian Medical Center to shutter its computer system for a week before the hospital gave in and paid the ransom fee, which in this case was 40 BTC (approximately US$17,000).
Mendrez recommends that organizations should consider blocking inbound .js attachments and Office documents with macros at the gateway. Educating your users about your organization’s email policy can also go a long way towards avoiding malware infections.