2016: Year of the ransomware attacks

Ransomware cyberattacks emerged in 2016 as the most notorious, damaging, and heinous cybercrime, hitting enterprises and small and medium-sized businesses. It also turned into the year of the most successful attacks on you, the individual user, with cybercriminals focused on taking your data hostage and holding it for ransom.

Unfortunately, there is no specialized rescue unit to swoop in and save you from online criminals and their ransomware cyberattacks.

Ransomware is a relatively new category of malicious software that encrypts files on the infected computer and attached drives. Once successfully attacked, the user can no longer access his data, including photos, documents, and any other files on the targeted drives or enterprise file systems.

When the attack and associated encryption process is complete, the  cybercriminals demand the payment of a ransom. In theory, if the targeted user or company deposits this amount, they gain access to a program that restores their files. Like any ransom demand, there is absolutely no guarantee that you get this software, or that it works.

Among the most virulent ransomware unleashed in 2016 were Locky and Mamba. In a recent highly publicized Mamba ransomware attack, cybercriminals infected and took over the enterprise computer systems used to run San Francisco’s public transport system.


The attack forced the San Francisco Municipal Transportation Agency (SFMTA) to open the gates and allow passengers to ride for free.

Cybersecurity Ventures predicts global annual cybercrime costs will grow from $3 trillion in 2015 to $6 trillion by 2021, which includes damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and damage to reputations and brand.

As eye-popping as these estimates are, they are just the tip of the iceberg. The worldwide cyberdamage estimates do not include unreported cybercrimes. They also don’t include ancillary damages such as legal and public relations fees, declines in stock and public company valuations directly and indirectly related to security breaches, interruptions to e-commerce and other digital business transactions, loss of competitive advantage, and ongoing cybercriminal investigations to trace stolen data and money.

Ransomware is now one of the three most common cybercrime threats and the total cost of damages related to these attacks is set to top $1 billion in 2016, with Locky the most prevalent family of ransomware.

Locky ransomware iterations

Locky is successful by leveraging stealth, large attack surfaces and expensive money extortion tactics. Since Locky appeared early in 2016, the security community observed that the cybercriminals typically demand a ransom payment from individual users of around half a bitcoin ($365) for the key to recovering your files.

According to the Israeli security firm Check Point, Locky previously had relied on a malicious macro embedded in Word documents and spam emails both delivered by spear phishing. However, Check Point says that recently there has been a “massive spread of the Locky ransomware via social media,” particularly Facebook and LinkedIn.

Existing security flaws in the two social networks allow a maliciously coded image file to download itself to a user’s computer. Users who notice the download, and who then access the file, cause malicious code to install Locky ransomware onto their computers.

In the analysis of the most recent iteration of the Locky attack vector, Check Point went on to note, “As more people spend time on social networking sites, hackers have turned their focus to finding a way into these platforms.” The attackers are taking advantage of our weakest link yet again. “Cyber criminals understand these sites are usually ‘whitelisted,’ and for this reason, they are continually searching for new techniques to use social media as hosts for their malicious activities.”

Decoding Locky

When Locky takes over your system, the malware changes all file names to a unique 16-letter and digit combination with new file extensions including as observed to date [.]aesir, [.]shit, [.]thor, [.]locky, [.]zepto or [.]odin file extensions. As intended, the cybercriminals modify the filenames so it becomes almost impossible to identify the original files. The ransomware victim’s data is encrypted using the RSA-2048 and AES-1024 encryption algorithms, therefore a private key, stored on remote servers and controlled by cybercriminals, is required for successful decryption.

Flickr/portal gda

After successfully encrypting the target files, Locky creates an extra [.]txt and _HELP_instructions.html or a _WHAT_is.html file in each folder containing encrypted files. Locky ransomware also replaces the desktop wallpaper with a scary image. The text files and wallpaper contain the same message that informs users of the encryption. It states that files can only be decrypted using a decryption scheme controlled by cybercriminals and costing one-half bitcoin.

To go ahead, the victim must install the Tor browser and follow a link provided in the text files/wallpaper. The website has step-by-step payment instructions. During the attack, Locky malware also deletes all file shadow volume copies. Currently, there are no tools available that are capable of decrypting files affected by Locky. The only solution if you are taken hostage is to restore your files from a backup.

Fighting back with cybersecurity

A recent study from IBM Security and IBM’s Institute for Business Value included a global survey of C-Suite executives at large corporations that indicated only 57 percent of chief human resource officers report they have rolled out employee training that addresses cybersecurity. Cybersecurity Ventures expects that number will rise sharply over the next five years as employee education programs become a fundamental cyber defense strategy by 2021.

Training employees on security will immediately bolster the cyber defenses at most companies. Lawrence Pingree, Research Director at Gartner, notes that the bulk of data breaches exploit employees’ knowledge gaps “to social engineer them to install malware or give away their credentials.”

Research also shows that there is no guarantee that your files will ever be decrypted even after paying the ransom. By paying, you simply support cybercriminals’ malicious businesses. You should never pay the ransom or attempt to contact the cyber criminals unless there is absolutely no other recourse.

Bear in mind that ransomware such as Locky is also distributed via fake software updates, P2P file sharing networks, malicious email attachments, and trojans. It is extremely important to keep your installed software up-to-date and to double-check what you are downloading. Use caution when opening email attachments sent from suspicious addresses and use a legitimate antispyware or antivirus suite. And of course, avoid any files that originate from social media networks.

Don’t become a hostage to cyber crime in 2017!

Photo Credit: Flickr/Christiaan Colen

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top