Locky Ransomware Virus Sweeps U.S. Businesses

By Aliah D. Wright Feb 19, 2016

The latest strain of ransomware sweeping workplaces is called Locky: It locks, scrambles and renames all of your files, giving them the extension “.locky.”

Experts say once your files have been seized, the quickest way to retrieve them is to pay the ransom. Some thieves demand payment in bitcoin on the dark web.

Sophos, a security software and hardware company, reports that the average price to retrieve files is $400.

Cybersecurity experts began noticing Locky in the U.K. on Feb. 16. It appeared in infected word documents in the U.S. the following day.

Here’s how it works:

  • An e-mail enters your inbox containing an attached Word document that may have this name on it: (Troj/DocDl-BCF).
  •  Upon opening the document, you’ll only see gobbledygook.
  •  In order to read the document, you’re advised to enable macros, which automate frequently used tasks, “if the data encoding is incorrect,” the e-mail states.
  •  If you enable macros, the infected Word document executes a code that saves a file to your disk and runs it.
  •  The saved file serves as a downloader, which retrieves the malware from the cyber thieves.

“It’s professional malware,” Stu Sjouwerman, chief executive officer at KnowBe4, a cybersecurity consulting group in Clearwater, Fla., told SHRM Online. Not only does it “encrypt files on … the hard disk of the computer,” it also encrypts files on any mapped drives, “which is the scary part.”

It’s a new version of an old trick, he said, calling Locky a “double social engineering attack.”

Receivers of this e-mail are encouraged to first open the Word document to view something like an invoice, for example. Then when they view the scrambled document, they’re tricked again into running a macro that downloads the virus.

This particular kind of attack is brand new for ransomware, he said. 

“Malicious macros in Microsoft Office have existed since the ’90s, but the combination of social engineering, macros and ransomware is definitely a combination we have not seen before,” he said.

According to Larry Abrams of BleepingComputer, a computer support company, “… it is safe to say that [virus’ like these] is going to become the norm. Like CryptoWall [another ransomware virus], Locky also completely changes the filenames for encrypted files to make it more difficult to restore the right data.”

Sjouwerman noted, “If you trust antivirus software and [think] your users [are] not clicking ‘Enable macros,’ you are going to have a problem. You can’t just disable all macros across the whole company because a lot of legacy code relies on macros.”

KnowBe4 advises HR professionals to ask their IT teams to take the following steps:

  • Visit the Group Policy setting in the Trust Center and set it to “Disable all except digitally signed macros.”
  •  Now check out Trusted Locations: User Configuration/Administrative Templates/Microsoft Office (Version No.)/Application Settings/Security/Trust Center/Trusted Locations.
  • Set your shared folder location URL in here. (More detail can be found at Microsoft Technet.)
  •  Now instruct your users to make sure all macros are used from shared folders. Macros should work as before on their regular documents.

Once this has been done, “if Mr. Bad Guy e-mails Joe in accounts payable a bad file, the macro won’t run,” Sjouwerman said. But above all else, it’s important to train employees, he emphasized. 

The lesson for HR? 

“Teach your users not to enable macros in Word files [they] didn’t ask for. That’s the security awareness training part of this whole thing.”

Aliah D. Wright is an online editor/manager for SHRM.


Job Finder

Find an HR Job Near You
Post a Job

HR Professional Development Education in a City Near You

SHRM Seminars are coming to cities across the US this fall.

Find a Seminar


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect