If I am asked for a tagline for the year 2016, I will surely go for “ The Year of Ransomware”. The ransomware attacks just don’t seem to stop. Every month we have a new ransomware plundering systems across the different parts of globe, asking people to pay the extortion money in bitcoins. Yes! Ransomware attacks are a type of extortion. The hackers infect your system, encrypt your files and then demand money from you. What else can we call this? However, as the Newton’s third law says “To every action, there is an equal and opposite reaction”. With the ransomware becoming a frequently used malware, the security people are also coming out with solutions”. One of the most menacing ransomware for this year has been Locky. It gained notoriety in the first half the year in the northern hemisphere; then proceeded to the south during Rio Olympics and now is back again across the globe with its new variants.
How Locky infects the System?
Locky is a ransomware. It infects your system and encrypts all of your files. The attackers then demand for a ransom in bitcoins because they are not tracked by the regulatory authorities particularly the central banks of the countries thereby providing them anonymity. Locky is considered to be one of the deadliest ransomware that encrypt your files using RSA-2048 and AES-1024 algorithms. It enters the system through spam email attachments. These are the typical social engineering emails that encourage the target to download the attachment by giving the pretext of frivolous excuses such as an invoice, medical form, survey, credit card transaction history etc. Once the user clicks on the attachment, the payload gets delivered to their system and gets executed. The Locky encrypts all the files in the system and then creates a supplementary .txt file in each folder apart from the encrypted files that these folders consist of. The perplexed user unaware of what just happened becomes confused. To allay his/her confusion and break to him/her the news that they have just been ransomwared, the desktop wallpaper is changed automatically by the ransomware. The wallpaper contains the text that tells the user that their files have been encrypted and they must make a payment of so and so bitcoins at so and so address to get the decryption key for their encrypted files. Sometimes, the threat poster also says that if payment is not made within so many hours, then all decrypted files would be deleted permanently. This threat message is basically written to impair the judgement of the victim and mount pressure on him/her and prevent them for looking out for solutions over the internet.
How to decrypt files locked by Locky Ransomware?
First of all, there is no guarantee that you would get your files back even if you paid the ransom. So, succumbing to the cyber criminals is not an intelligent decision. It will further embolden the criminals and they would continue to raid the systems. Infact there is no guarantee that same criminals wont target you again in future. So a bold stance has to be taken. There are few methods that can help you get back your files without even paying a single penny.
1) Shadow Volume Copies
Try restoring your system to a date before the attack happened. This method helps in retrieving most of the encrypted files. Go to the Systems Restore option in your PC and perform restore to a date older than the attack date. This will work only if restore points have been created. If you have not created, you should keep this is mind and start creating every few weeks. Also, changes made to files after the restore point won’t be reflected in the recovered file version.
2) Previous Version Feature
In this method, you need to go to individual files, right click and then go to properties. There you will find an option called Previous Versions. Click on it and then select the Copy or Restore option depending upon the location where you want to recover files to.
3) Shadow Explorer
The Previous Version feature can be automated using the Shadow Explorer application. This app makes it easier to restore huge number of files to previous versions. Download the App and use the Export feature for doing it.
4) Removing the remnants of Locky
Once you are doing with restoring all files, you need to perform a malware scan using an updated anti-virus software. Use a genuine anti-virus software and delete all the files of concern that are shown in the scan. This needs to be done to remove all traces of virus from the root.
5) Follow a good Cyber Hygiene
Take the lesson and develop a good cyber hygiene. Don’t fall for spam email campaigns and keep your system well protected by using up to date anti-malware software. Don’t browse and download files from unsafe websites.If you don’t develop a good cyber hygiene then you are preparing yourself to be an easy target for the hackers.