Retooled Locky Ransomware Pummels Healthcare Sector
August 21, 2016
Seid Yassin (557 articles)

Retooled Locky Ransomware Pummels Healthcare Sector

Cybercriminals wielding Locky crypto-locking ransomware are continuing to ramp up their assaults, especially in the healthcare sector, with attackers distributing less banking malware and more ransomware, according to new research.

So far this month, several “massive” new phishing campaigns have been launched, targeting victims in multiple industries with Locky ransomware, security researcher Chong Rong Hwa from cybersecurity firm FireEye says in a blog post.

As in recent months, healthcare remains the sector most frequently targeted by Locky ransomware. So far in August, other oft-targeted industries include telecommunications, manufacturing, aerospace/defense, financial services and government agencies, according to FireEye. Organizations in the United States were most targeted, followed by Japan, South Korea, Thailand, Singapore and Germany.

Attackers often focus on healthcare organizations and other firms that have “time-sensitive records,” according to Mark Rasch, security evangelist at Verizon Enterprise Solutions. That’s because even if those organizations are well-prepared to detect, block or recover from a ransomware infection, they may not have the time to do so, and thus may have greater incentives to pay a ransom in exchange for decryption keys.

Locky, which first appeared early this year, has become one of the most prevalent types of ransomware. Its name derives from it adding a .locky extension to encrypted files. Once the ransomware encrypts data on a PC, it typically demands a ransom of between 0.5 and 1 bitcoins ($288 to $577), according to Paul Ducklin, a senior security adviser at security firm Sophos. He says spam emails with Locky attachments often urge recipients to enable macros, so the ransomware can run. “Don’t do it,” he stresses.

It’s not clear who created Locky, although some security experts suspect it’s the work of whoever created the Dridex banking Trojan and that the culprits are most likely Russian. Security firm Symantec says that Locky and Dridex have in some cases been distributed by the same spam affiliate group.

Source | healthcareinfosecurity