► In what form is it ?
2 weeks ago we drew your attention to the zero-day vulnerability detected in MS Office.
The first to exploit it is the ransomware “Locky”. As a reminder, the latter became known at the beginning of last year by shattering all records of the number of victims it made.
It has therefore now come back to France since last Monday and is invisible to most antivirus software not yet having patched the Microsoft zero day vulnerability.
The way it works has hardly changed; the ransomware is spread via an email with an attachment (an alleged payment receipt) itself containing an unreadable Word or Excel document
and a message asking the user to activate macros for the content to be displayed.
The ultimate refinement, the sender's email address belongs to the same domain as the recipient’s to put recipients off their guard.
The sole function of the embedded macro is to retrieve and then execute the malware. Running the ransomware results in data encryption and all the infected files are renamed with the “.locky” extension. It will also target shared files accessible from the user account whose session has been compromised.
The victim is then invited through a dialog box that is displayed on the screen, to pay money to the cybercriminal to unencrypt the infected files.
Campaigns in shorter waves, highly localised geographically have also been observed.
The blockage rate of this spam by anti-spam filters is unfortunately relatively low.
► How can you protect yourself ?
- Do not open documents attached to unsolicited emails
Disable automatic execution of macros in office suites
[Reminder to disable in Microsoft Office:
File / Options / Trust Center / Trust Center Settings / Macro Settings / Check Disable all macros with notification]
- Keep the operating system and virus protection software of your workstations up-to-date
- Disable the autoplay feature of USB sticks and hard drives if you insist on using them
- Perform full, regular back-ups of all your systems and data (workstations, servers and laptops) and retain at least 3 versions of each backed up document
- And especially educate your staff by distributing our alert reports internally!
► What should you do if attacked ?
If you have accidentally clicked on the link and downloaded a Locky, we recommend that you immediately switch off the infected workstation and disconnect it from the network.
The aim is to block the action of the parasite and if possible its spread over the network or to your contacts contained in your email system.
Search and delete all similar messages in the mailboxes of users connected to your computer network.
Finally perform a complete reinstall of the infected computer and restore the files from a trusted backup.
> Have you been the victim of an cybercriminal attack? Do you need advice ?