I didn’t know what this was until earlier this week when a friend called and asked if I could come and take a look at his machine ( he mentioned something about ransomeware but little ). I’ve been hearing more of ransomeware in the news attacking hospitals and the like but I personally have not had direct contact with one of these so figured I’d jump in with 2 feet and see what it was all about.
Basically I came in and looked at the machine and saw a bunch of files renamed to hex with the extension of .locky. These are files that are encrypted and contained his important information. There was also a text file that directed me to a web site asking us to pay money and we were given a key to input into the web site. See this web site for WAY more info then you might want but, great info nonetheless.
In short, to recover, I performed a system restore to a date before the attack occurred and I used shadow explorer to locate files that had been impacted and luckily they were still present so using shadow explorer I exported them to a new directory and we were good . We went to each of the directories that contained locky files and exported the saved files out ( I had him validate that the files contents was unaltered and he said they looked fine). He was thankful and I was happy for him because he looked pretty stressed as you can imagine. BitDefeneder and Hitman Pro were on the machine but did nothing to protect it from this variant. I used avast and mcafee stinger to try and detect anything else wrong with the system but they came back clean. I would have thought that maybe the av products might give some sort of warning when they saw the .locky files (ex: locky files have been detected on your system — its possible you are impacted with ransomeware, insert suggestions here). Instead they were silent and passed their scans. I was happy to see them pass and that his machine was not further impacted but kind of surprised, in a way.
I sure hope none of you are hit by this (or any) ransomeware. These things are downright nasty.
Recently, CERT released this warning on ransomware