You may have seen reports of the Locky malware circulating the web; we think this is a good time to discuss its distribution methods, and reiterate some best-practice methods that will help prevent infection.
We’ve seen Locky being distributed by spam email, not in itself a unique distribution method, but this means that spreading is broad and not isolated to any particular region. This ransomware knows no borders, and we’ve seen high infection rates across the world.
The Locky email attachment usually arrives as a Word document, but could also be an Excel document, that appears to be an invoice. We’ve also seen the following downloaders distribute Ransom:Win32/Locky.A:
If you open this file and allow the macro to run, the malware is downloaded and runs on your PC, encrypting your files. A ransom message is then displayed demanding payment in order to unlock your encrypted files. Note that once your files are encrypted, the only guaranteed way to restore them is from backup. Microsoft does not recommend you pay the ransom; there is no guarantee that this will give you access to your files.
While Microsoft detects and removes Locky, we recommend you disable macros to help prevent this and other macro-downloaded threats from infecting your PC, and then only enable macros that you trust, on a case-by-case basis. To help keep your enterprise secure, consider using a trusted location for files in your enterprise, then you can store documents that require macros there. You can also use our cloud protection services to help boost your protection; this, and other advice on how to help keep your PC protected are outlined below.
Disable all except digitally signed macros in Microsoft Word
To help prevent malicious files from running macros that might download malware automatically, we recommend you change your settings to disable all except digitally signed macros.
To do this:
1. Open a Microsoft Word document.
2. Click the File tab.
3. Click Options.
4. In the Trust Center, click Trust Center Settings.
5. Select Disable all macros except digitally signed macros.
6. Click OK.
Block macros from running in Office files from the Internet in your enterprise
Office 16 provides a Group Policy setting that enables you to block macros from running in Word, Excel and PowerPoint files from the Internet. Read about how to block macros from running in Office 16 files from the Internet.
Only enable trusted content
If you have disabled macros, when you open a file that has macros you’ll see a message bar similar to the following:
Only click Enable Content if you trust the file, that is, you know where it’s from and are certain that running the macro is harmless.
Use advanced threat and cloud protection
You can boost your protection by using Office 365 Advanced Threat Protection and also enabling Microsoft Active Protection Service (MAPS).
Office 365 helps by blocking dangerous email threats; see the Overview of Advanced Threat Protection in Exchange: new tools to stop unknown attacks, for details.
MAPS uses cloud protection to help guard against the latest malware threats. You should check if MAPS is enabled on your PC.
Help prevent malware infections on your PC
There are a number of other things you can do to help prevent malware infections, for example:
- Use up-to-date security software
- Keep your software up to date
- Turn on your firewall
- Limit user privileges
- Use trusted locations for files in your enterprise
So to wrap this up: this ransomware is bad, but infection is preventable! Microsoft detects and removes this threat, but by ensuring that you only run known, trusted macros, you’ll help prevent a Locky infection – and any other malware that relies on malicious macros. Generally, a good approach is to only allow digitally signed macros that you trust to run on any of your documents.
Stay safe, from all of us at the MMPC.
-Jasmine Sesso, MMPC