We’ve all heard of hospitals being hit by highly contagious viruses such as the norovirus, but what about the ‘Locky’ virus that is spreading at an alarming rate in the US?

This new variation of the Cryptolocker ransomware is effecting a staggering 60,000 users per day, the majority in the US and Germany, but UK businesses have been warned to take precautions.

The Cost Of ‘Locky’ Virus To Organisations

Of the many Locky victims in the US, four are hospitals resulting in one declaring an ‘Internal State of Emergency’ forcing the hospital to shut down all their desktop computers and bring them back up one by one, having scanned them individually for the virus, and restoring data with backups. According to the BBC another infected hospital, Hollywood Presbyterian Medical Centre, paid $17,000 to criminals in order to recover their files.

Disruption to networks and systems, downtime, loss of data and the time it takes to recover from a virus attack, are all significant factors when assessing the cost of a cyber attack like this. Of course, the financial implications can be significantly more if an organisation decides they have to pay the ransom.

What Does Locky Do?

Locky is so called because having scrambled files it places a .locky extension and demands a ransom in exchange for the key to unlock the encrypted files. Once introduced to a PC or server, the virus can quickly cripple an entire network. It even changes your wallpaper so that you have a clear set of instructions on how to pay the crooks their ransom.

With cyber security experts estimating that Locky virus releases over 4 million infected emails a week, the virus has almost certainly begun wreaking havoc this side of the Atlantic, and many UK businesses are thought to be unprepared.

While the Hollywood Presbyterian Medical Centre pay out was higher than average, typically criminals are demanding between 0.5 and 4 Bitcoins (approximately £150 and £1200), unless you want to pay the ransom you will need to restore all your data to the point before the virus was introduced.

This means you will need current data backups and ideally a disaster recovery system to restore. The hospital that declared an ‘Internal State of Emergency’ initiated emergency response plans designed for natural disasters such as a tornado strike.

Of course, if you haven’t got the backups then you will have no option but to pay the ransom.

How does Locky get in?

It’s important to understand how viruses like Locky can get in, not just for the IT team but for other members of staff too. Therefore I would suggest that you copy the information below, or share this blog post, with those members of staff who may be vulnerable.

The most common way that Locky arrives is as follows:

  • You receive an email containing an attached document (Troj/DocDl-BCF).
  • The document looks like gobbledegook.
  • The document advises you to enable macros “if the data encoding is incorrect.”
  • If you enable macros, you don’t actually correct the text encoding (that’s a subterfuge); instead, you run code inside the document that saves a file to disk and runs it.
  • The saved file (Troj/Ransom-CGX) serves as a downloader, which fetches the final malware payload from the crooks.
  • The final payload could be anything, but in this case is usually the Locky Ransomware (Troj/Ransom-CGW).

The following best practice tips will help protect your business and IT network from all kinds of cyber attack and is relevant to both the IT team and other employees.

Prevention is always better than cure

  • Backup regularly and keep a recent backup copy off-site
  • Don’t enable macros in document attachments received via email (A lot of malware infections rely on persuading you to turn macros on, so don’t do it!)
  • Be cautious about unsolicited attachments
  • Don’t give yourself more login power than you need (Most importantly, don’t stay logged in as an administrator any longer than you need to)
  • Consider installing the Microsoft Office viewers(Viewer applications let you see what documents look like without opening them
  • Keep security patches up to date

Most businesses I speak to have some kind of data backup, but many of them simply aren’t prepared for a disaster, whether it’s a virus, mechanical failure or fire or flood. Disaster recovery plans are essential for business continuity and therefore needs a holistic approach, from the Board down.

Often it’s left to IT managers or operations managers to devise disaster recovery plans for the IT estate. While these precautions may work up to a point, they don’t always take into account all the variables within an organisation and therefore may not be viable in a disaster.

To find out more about disaster recovery plans, and to get an instance overview of your organisation’s risk using our business continuity assessment tool, click here.