Doctors and patients across the world, beware: cyberciminals have a new member of the family! Despite its young age, a one-month-old ransomware has already encrypted files in two American hospitals and brought $17,000 to its creators.
The “baby,” was named Locky, and quickly gained global notoriety soon after it’s birth. The reason? It infected the medical records of Hollywood Presbyterian Medical Center in Los Angeles. Yes, the hospital who was crippled by and eventually paid $17,000 to get their records back.
— Kaspersky Lab (@kaspersky) February 18, 2016
The new victim, Methodist Hospital in Henderson, Kentucky is a 217 bed acute care facility. To stop the infection, the hospital had to turn off all PCs in the network. Hospital administration are cooperating with the FBI and checking every device for infection, one by one. It’s possible that some data can be recovered from backups. Unlike the previous hospital attack, the ransom that was asked for was only $1,600. However, Methodist Hospital officials claim that money will be paid only if it comes to the worst.
Methodist Hospital officials – "The ransom was not paid. Our system is up and running." @14News
— Jessica Gavin (@JessicaGavinTV) March 21, 2016
Locky’s adventures in Kentucky began with a letter, as is usually the case. Last Friday a hospital employee received spam and launched the file attachment that in turn downloaded ransomware from the criminals’ server, letting Locky into the network. The Trojan quickly copied all data on the device, encrypted it and deleted originals. Simultaneously Locky started its journey across the hospital’s corporate network, which could be stopped only by turning off all of the PCs.
Earlier Locky was delivered with the help of doc-files with malicious script, which downloaded the Trojan from remote servers. Later culprits modified tactics and switched to zip-archives with Java scripts, which also downloaded the Trojan from criminals servers and launched it. The majority of malicious letters were in English, but there were also emails, written in two languages simultaneously.
— Kaspersky Lab (@kaspersky) March 24, 2016
According to Kaspersky Security Network, Locky mostly attacks users in Germany, France, Kuwait, India, South Africa, USA, Italy, Spain and Mexico. As far as we know, Russia and CIS countries are of no concern to the Trojan.
It’s noteworthy that Locky is a very curious Trojan, as it gathers detailed statistics about each victim which is very unusual for ransomware. This keenness can be explained by culprits pecuniary interests: this activity helps them to determine the value of encrypted files in order to set individual ransom and gain huge profit.
— Kaspersky Lab (@kaspersky) November 30, 2015
It’s unlikely that Locky was created to attack medical institutions specifically. Security experts are sure, that criminals will hunt for any users who heavily rely on data, such as lawyers, medical workers, architects and so on.
In conclusion we’d like to admit, that Kaspersky Lab solutions protect users from Locky on several levels of our multilayer defence:
- The anti-spam module detects malicious emails sent by cybercriminals.
- Built in email and file antiviruses spot the uploading scripts and warn the user. Our solutions detect these scripts as Trojan-Downloader.MSWord.Agent, Trojan-Downloader.JS.Agent and HEUR:Trojan-Downloader.Script.Generic.
- The file antivirus recognizes the executable file and warns the user that Trojan-Ransom.Win32.Locky is detected.
- The System agent module in Kaspersky Internet Security will find even unknown samples of Locky ransomware and notify the user that the PDM:Trojan.Win32.Generic is detected. Moreover, it will not allow the Trojan to encrypt files on your hard drive so no ransomware will be able to steal and lock your data and demand money.