You, your endpoints and the Locky virus

On Monday a new ransomware appeared called Locky. I wrote about it here. Since it appeared antivirus has struggled to keep up, generally taking over 24 hours to add detection for each new daily version. In short, antivirus is dead; long live antivirus.

People looking to recover their network should head to the prior link.

Infiltrating and monitoring Locky network

I am able to intercept Locky traffic. Here is a live view of that traffic. Each “egg” represents a successfully encrypted endpoint PC. I’ve written before about how your endpoints are the new DMZ and that endpoint security is broken.

Traffic today has varied between 1 new endpoint each second, to up to 5 per second. I estimate by the end of the day well over 100,000 new endpoints will be infected with Locky, making this a genuine major cybersecurity incident — 3 days in, approximately a quarter of million PCs will be infected.

Intercepting Locky

Global spread

The deployment of Locky was a masterpiece of criminality — the infrastructure is highly developed, it was tested in the wild on a small scale on Monday (ransomware beta testing, basically), and the ransomware is translated into many languages. In short, this was well planned.

One hour of infection stats
Credits to Matthew Mesa — Locky in lots of languages
Google searches for “Locky” since Monday

Measuring the impact

Locky contains code to spread across network drives, allowing the potential to impact large enterprises outside of individual desktops.

Indeed, my prior page about Locky is by far the most popular article I’ve ever written online and I’ve been flooded with emails from IT staff asking for help. I’ve received Twitter impressions of over half a million this week from talking about this. Many organisations are simply paying for the decrypter, which is basically paying your hostage takers for freedom. It’s also worth noting that many of the IP addresses hitting the monitor are behind NAT addresses at large companies, many in the US; this clearly caught people out.

Endpoint security

Having your endpoints fully Windows and Office patched, antivirus software installed, behind a firewall and with Malwarebytes Anti-Ransomware (in beta) likely wouldn’t have protected you if you allowed users to open macros and didn’t have application whitelisting correctly configured.

MessageLabs, Google Mail, Office 365 and hosted Exchange all delivered the Word documents.

Malwarebytes have since added protection, and antivirus companies are trying to catch up. But the reality is the game has changed.