{"id":5373,"date":"2016-03-27T07:32:15","date_gmt":"2016-03-27T11:32:15","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=5373"},"modified":"2020-04-09T21:32:30","modified_gmt":"2020-04-09T17:32:30","slug":"locky-ransomware","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/locky-ransomware\/5373\/","title":{"rendered":"Tricky Locky ransomware robs American hospitals"},"content":{"rendered":"<p>Doctors and patients across the world, beware: cyberciminals have a new member of the family! Despite its young age, a one-month-old ransomware has already encrypted files in two American hospitals and brought $17,000 to its creators.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-5364\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2016\/03\/05103337\/banking-trojans-bypass-2fa-FB.jpg\" alt=\"banking-trojans-bypass-2fa-FB\" width=\"1280\" height=\"1280\"><\/p>\n<p>The \u201cbaby,\u201d was named Locky, and quickly gained global notoriety soon after it\u2019s birth. The reason? It\u00a0<a href=\"https:\/\/threatpost.com\/locky-ransomware-borrows-tricks-from-dridex\/116304\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">infected<\/a>\u00a0the medical records of Hollywood Presbyterian Medical Center in Los Angeles. Yes, the hospital who was crippled by and eventually\u00a0<a href=\"http:\/\/www.npr.org\/sections\/thetwo-way\/2016\/02\/17\/467149625\/la-hospital-pays-hackers-nearly-17-000-to-restore-computer-network\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">paid<\/a>\u00a0$17,000 to get their records back.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/Locky?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Locky<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Ransomware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Ransomware<\/a> Borrows Tricks from Dridex via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"https:\/\/t.co\/4VRyAas6pY\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/4VRyAas6pY<\/a> <a href=\"https:\/\/t.co\/JO43afN7hq\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/JO43afN7hq<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/700427833781440512?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 18, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The new victim, Methodist Hospital in Henderson, Kentucky is a 217 bed acute care facility. To stop the infection, the hospital had to turn off all PCs in the network. Hospital administration are cooperating with the FBI and checking every device for infection, one by one. It\u2019s possible that some data can be recovered from backups. Unlike the previous hospital attack, the ransom that was asked for was only $1,600. However, Methodist Hospital officials claim that money will be paid only if it comes to the worst.<\/p>\n<p>https:\/\/twitter.com\/JGavin14News\/status\/711956381637726209?ref_src=twsrc%5Etfw<\/p>\n<p>Locky\u2019s adventures in Kentucky began with a letter, as is usually the case. Last Friday a hospital employee received spam and launched the file attachment that in turn downloaded ransomware from the criminals\u2019 server, letting Locky into the network. The Trojan quickly copied all data on the device, encrypted it and deleted originals. Simultaneously Locky started its journey across the hospital\u2019s corporate network, which could be stopped only by turning off all of the PCs.<\/p>\n<p>Earlier Locky was delivered with the help of doc-files with malicious script, which downloaded the Trojan from remote servers. Later culprits modified tactics and switched to zip-archives with Java scripts, which also downloaded the Trojan from criminals servers and launched it. The majority of malicious letters were in English, but there were also emails, written in two languages simultaneously.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/Hospitals?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Hospitals<\/a> are under attack\u2026 what's at risk? <a href=\"https:\/\/t.co\/b1WYjQgpfY\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/b1WYjQgpfY<\/a> via <a href=\"https:\/\/twitter.com\/61ack1ynx?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@61ack1ynx<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Infosec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Infosec<\/a> <a href=\"https:\/\/t.co\/euuJ8041U0\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/euuJ8041U0<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/713003737187532800?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">March 24, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to\u00a0<a href=\"https:\/\/www.kaspersky.com\/blog\/kaspersky-security-network-explained\/8657\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Kaspersky Security Network<\/a>, Locky mostly attacks users in Germany, France, Kuwait, India, South Africa, USA, Italy, Spain and Mexico. As far as we know, Russia and CIS countries are of no concern to the Trojan.<\/p>\n<p>It\u2019s noteworthy that Locky is a very curious Trojan, as it gathers detailed statistics about each victim which is very unusual for ransomware. This keenness can be explained by culprits pecuniary interests: this activity helps them to determine the value of encrypted files in order to set individual ransom and gain huge profit.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">10 tips to protect your files from ransomware <a href=\"https:\/\/t.co\/o0IpUU9CHb\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/o0IpUU9CHb<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/iteducation?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#iteducation<\/a> <a href=\"https:\/\/t.co\/I47sPIiWFF\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/I47sPIiWFF<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/671348678607642624?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">November 30, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>It\u2019s unlikely that Locky was created to attack medical institutions specifically. Security experts are sure, that criminals will hunt for any users who heavily rely on data, such as lawyers, medical workers, architects and so on.<\/p>\n<p>In conclusion we\u2019d like to admit, that Kaspersky Lab solutions protect users from Locky on several levels of our multilayer defence:<\/p>\n<ul>\n<li>The\u00a0<b><a href=\"https:\/\/www.kaspersky.com\/blog\/kaspersky-anti-spam-protection\/9051\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">anti-spam<\/a><\/b>\u00a0module detects malicious emails sent by cybercriminals.<\/li>\n<li>Built in\u00a0<b>email and file antiviruses<\/b>\u00a0spot the uploading scripts and warn the user. Our solutions detect these scripts as Trojan-Downloader.MSWord.Agent, Trojan-Downloader.JS.Agent and HEUR:Trojan-Downloader.Script.Generic.<\/li>\n<li>The\u00a0<b>file antivirus<\/b>\u00a0recognizes the executable file and warns the user that Trojan-Ransom.Win32.Locky is detected.<\/li>\n<li>The\u00a0<b>System agent<\/b>\u00a0module in\u00a0<a href=\"https:\/\/me.kaspersky.com\/en\/free-trials\/multi-device-security?redef=1&amp;reseller=me-en_kismdtribuild_trd_ona_smm__onl_b2c__lnk_______\" target=\"_blank\" rel=\"noopener noreferrer\">Kaspersky Internet Security<\/a>\u00a0will find even unknown samples of Locky ransomware and notify the user that the PDM:Trojan.Win32.Generic is detected. Moreover, it will not allow the Trojan to encrypt files on your hard drive so no ransomware will be able to steal and lock your data and demand money.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kart\">\n","protected":false},"excerpt":{"rendered":"<p>Doctors and patients across the world, beware: cyberciminals have a new member of the family! Despite its young age, a one-month-old ransomware has already encrypted files in two American hospitals<\/p>\n","protected":false},"author":522,"featured_media":5374,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,1486],"tags":[191,180,1149,1150,433,97],"class_list":{"0":"post-5373","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-data","10":"tag-kaspersky-internet-security","11":"tag-locky","12":"tag-medicine","13":"tag-ransomware","14":"tag-security-2"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/locky-ransomware\/5373\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/locky-ransomware\/3769\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/locky-ransomware\/6916\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/locky-ransomware\/6884\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/locky-ransomware\/8015\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/locky-ransomware\/7800\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/locky-ransomware\/11382\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/locky-ransomware\/11667\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/locky-ransomware\/5427\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/locky-ransomware\/6121\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/locky-ransomware\/7295\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/locky-ransomware\/10849\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/locky-ransomware\/11382\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/locky-ransomware\/11667\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/locky-ransomware\/11667\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/data\/","name":"data"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5373","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/522"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=5373"}],"version-history":[{"count":6,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5373\/revisions"}],"predecessor-version":[{"id":16333,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5373\/revisions\/16333"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/5374"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=5373"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=5373"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=5373"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}