Threat Management

Locky ransomware, disguised in Word docs, latest from Dridex creators

Calling the newly discovered Locky ransomware, likely the newest endeavor from the actors behind Dridex, “a vicious new strain,” KnowBe4 warned its customers in a Wednesday blog that the ransomware has been spotted disguised in Word documents and to take steps to protect themselves.

Because the professional grade malware is distributed through an email and a Microsoft Word attachment that contains malicious malware, it escapes detection by many anti-virus products. "AV coverage is very poor – after over 24 hours in the wild, only three very niche vendors detect it," a Medium report that provided detail on the ransomware reported, although "most major anti-virus products now detect, with the latest updates."

Researchers at KnowBe4 said attackers use social engineering two times in the process – first to persuade users to open the attachment and then to enable the macros found in the Word file. Once a victim opens the Word document, the content appears to be “scrambled” and a message appears asking the user to resolve the unreadable text by enabling the macros.

“Once a victim enables the macros, they download an executable from a remote server in the %Temp% folder and execute it,” KnowBe4's CEO Stu Sjouwerman, said in the release. “This executable is the Locky ransomware that when started will begin to encrypt the files on your computer and network.”

PC Pitstop noted that Locky appears to be the handiwork of those behind the Dridex banking trojan and is distributed through the Neutrino Exploit Kit. “If an individual opens the spam email, ignores the macro Word alert and clicks "enabled content," Locky will immediately scan the system for specific files and encrypt or modify them so they can no longer be used – that is, unless a ransom is paid, which Locky's current amount is .5 BTC, or the equivalent of $209.33,” Dodi Glenn, vice president of cyber security at PC Pitstop, said in a statement emailed to These file types – such as .doc, .csv, .pdf, .jpg, etc. – are commonly found on end-users' machines.

Calling the transaction all too familiar for many of the other types of ransomware out there, Glenn said what should be more concerning to enterprise customers is that it will also look for .SQL, .SQLiteDB and .SQLite3 files, which are associated with databases.

Attackers have made inroads with Locky, Sjouwerman noted, because “the old Office macros from the nineties have not gone away and the bad guys are combining this old technology with clever social engineering." He noted that organizations trusting “anti-virus software and expecting users to not click "Enable macros" are likely “going to have a problem.”

“You can't just disable all macros across the whole company because a lot of legacy code relies on macros,” he said. “Telling all users to sign their macros will also take months.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.