Reported March 1, 2016, by Gary Drost of Pioneer Consulting

Please read this and pass the information along to staff members.  This is a particularly damaging viral infection.

You may have heard about the local Hospital that paid $17,000 in bitcoin ransom to decrypt their computer system files after being infected by the LOCKY ransomware virus.  This is a very rapidly evolving piece of ransomware and I have started to see it show up in emails locally.  Here is what you need to know:

  • It is currently being delivered via email with a document attachment (I say currently, but the delivery method may change over time)
  • The email may reference an invoice, IRS notice or something similar to that to entice you to open the attachment.
  • The emails are very well crafted and targeted.
  • The attached document has a built in macro that, if enabled, will communicate back to a command and control center to download the virus to your PC.
  • Note that if your Microsoft Word program currently uses a plug in that requires it to accept all macros, this will occur without any intervention from you if you open the document!
  • Once your PC is infected, the virus will start encrypting everything it can access.  This includes all network locations you are mapped to, any other network shares that can be accessed regardless of whether you map to them, other PC’s on the network it can access, all your Dropbox files, OneDrive (Microsoft’s version of dropbox) files, other similar file storage options.
  • It will attempt to also encrypt any backup files and removes any “shadow copies” so that files cannot be easily restored.
  • Encrypted files will have a long, random name followed by a “.locky” extension.
  • Once encryption has happened, it will display a message stating such and requesting a ransom to be paid to get the key to unlock your files.

The payload for this virus is changing so rapidly that anti-virus programs are having a very difficult time detecting the messages and blocking them.

Bottom line…

  • If you receive a message that comes from someone you don’t expect and has either a link or attachment in it, do not click on the link or open the attachment – even briefly!
  • Just delete the message if you suspect it is malicious.
  • If it is from someone you know but you don’t expect it or if it appears suspicious, contact that person separately, via phone for instance, rather than interacting with the email message.
  • Email is a great business tool.  It is also a great delivery system for infections like this.  You must be discerning when dealing with emails you receive and follow up with the sender if it looks suspicious.
  • If you do receive one of these messages and act on it, there is NO grace – click on it and you will get infected and start the process of file encryption on the network.



Pioneer Consulting Services, Inc.
Cell: (360) 739-2491