Locky Strikes an Unlucky Hospital

A Methodist hospital in Kentucky was hit hard earlier this week when a vicious Trojan ransomware attacked their computer network. Once this malware infection infiltrated one of the computers, it quickly spread on the whole network infecting all local drives as well as unmapped network shares. Locky Ransomware, as it was named after the .locky extension it appends to files, encrypted all databases, image, video, audio, and program files with a next-to-impossible-to-crack encryption algorithm. Obviously, the hospital will not be able to use the infected computers and the encrypted files unless they comply with the demands of the cyber criminals who created this dangerous Trojan. Although the ransom fee does not seem to be too high for an institution, this hospital is working closely with the FBI to find a legal way out of this terrible situation. Nevertheless, they have not yet ruled out the possibility of paying the fee to be able to recover the files. One thing is certain, though, they will not be able to use the infected computers unless they remove Locky Ransomware.

A hospital under virtual siege

A few days ago a red scrolling banner welcomed the visitors of Methodisthospital.net, the hospital’s official website, informing about the unfortunate attack by Locky Ransomware and that the hospital had to declare an “Internal State of Emergency” as a result. Although hospital officials claim that no patient records were affected by this vicious malware attack, their network and computer use has been rather limited since then. Since the hospital has a powerful emergency response system, this attack resulted in a total shutdown just like the place had been hit by a tornado. Therefore, the security experts now need to switch on computers one by one and scan them for infections.

The criminals seem to demand various amounts from the victims because in this case reports show that the ransom fee is 4 Bitcoins, which is the virtual currency used for the payment in most ransomware attacks. This is around $1660, which cannot be called insanely high when it comes to a hospital. The usual rate Locky Ransomware seems to try to extort from computer users is between 0.5 and 1 BTC (207 to 414 USD).

Obviously, this is not the first time a ransomware hit a hospital in the United States. As a matter of fact, just a few weeks ago another hospital was hit in California, but in that case around $17,000 was the ransom fee to pay for the decryption of the files. Although this current fee of $1660 is only one tenth of that amount, the Methodist hospital is not willing to pay unless it proves absolutely necessary, i.e., there is no other way out of this nightmarish situation.

Where does Locky Ransomware come from?

It seems that the infection infiltrated one of the computers through a spam e-mail. The e-mail this Trojan seems to be spreading in has a subject that refers to an invoice, such as “ATTN: Invoice H-62627152.” The body of the mail asks the victim to open the attached Word document, the alleged invoice, which has the same name as in the subject (e.g., Invoice_ H-62627152.doc). However, this Word document contains a malicious macro code that downloads Locky Ransomware in the background. There are two lessons here to learn. First, you should be very careful with opening e-mails because cyber criminals have sophisticated methods to fool anyone into believing that they are actually opening a legitimate or official mail. Second, you need to be even more careful when it comes to clicking on or opening attachments. Images, video files as well as macro-ready documents can be used to trigger the download of a Trojan infection, such as Locky Ransomware onto your PC. Even though it may be impossible to stop this program during the encryption, you should definitely remove it as soon as you notice its vicious act.

How does Locky Ransomware work?

The infection is activated once the victim opens this fake invoice document and enables the use of macros. This ransomware is very tricky since it displays unreadable scrambled characters in the document with a red-colored title that asks the user to enable macros if he or she cannot read the text below. Once this ransomware is downloaded and activated it encrypts all photos, videos, music files, documents, program files and databases. It specifically targets around 140 extensions, including .mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .xml, .doc, and many more. This infection seems to skip the following system directories though: tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, Windows. Furthermore, it deletes the Shadow Volume Copies of files to make it impossible to recover them. It also creates text files with instructions on the desktop (_Locky_recover_instructions.txt) and in every folder where files were encrypted.

Once the job is done, which may be just a few seconds really since Locky Ransomware uses an AES algorithm, a ransom note will be displayed on the screen, which has the same text as the above mentioned text files. The private key will be stored on a “secret server” and can only be accessed once the transfer of the demanded ransom fee is done. Hopefully, the victims have a backup copy to recover files from. You can save backups to external drives or even onto an online storage place. But before you transfer them back to your system, you must remove Locky Ransomware and any other threats there may be.

Leave a Comment

Enter the numbers in the box to the right *