Email Ransomware Alert (Locky)

A new variant of a crypto-ransomware, dubbed as "Locky", has recently been discovered and is spreading via email in the form of a Word document attachment with malicious macros.

The ransomware encrypts files on a victim's computer, adds a ".locky" file extension to them and demands that the victim pay a ransom for the decryption key.

E-mails with this type of ransomware may have a subject line similar to "ATTN: Invoice J-68284917" and a message such as "Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice."

Once the Word attachment is opened, users see scrambled content and are asked to enable macros as shown below:

01-03-2016 1-55-51 PM

When/if macros are enabled, the malware spreads and encrypts nearly all file formats including files that are on USB keys and network shares. Once the encryption is complete, users receive the following message:

01-03-2016 2-04-30 PM

If you have become infected with the Locky ransomware, you should immediately disconnect your computer from the network and contact your local IT support or the UIT Helpdesk at x55800 (askit@yorku.ca)