Latest cybersecurity threat, 'Locky,' spreads faster than any other virus

Ransomware preys on human error, expert says.
By Jessica Davis
10:03 AM

The recent ransomware attack on Hollywood Presbyterian Medical Center, if nothing else, shed light on an increasingly important topic: the role of human error in health data security. The bad news is, we won't be seeing an end to this type of cybercrime anytime soon.

The same week the Hollywood Presbyterian attack was making headlines around the world,  another species of ransomware – aptly named "Locky" – was first observed in the wild.

It's a straightforward virus, delivered via an email attachment disguised as a Microsoft Word invoice. It preys on human instincts, asking users to enable macros that, once installed, encrypt valuable files, holding them hostage.

[Also: Ransomware: What will it take to be prepared?]

The email subject line reads: "Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice."

The document, when opened, appears garbled. It instructs users to activate macros to make the text readable. Once that happens, the malware executes.

Locky creates a lock screen that displays a timer notifying the user of how much time is left until the ransom must be paid and explains that, although the computer is still usable, the files are encrypted, said Kevin Epstein, vice president of the Threat Operations Center at Proofpoint, a cybersecurity company. The user also can't determine which files are affected.

When the ransom is paid, keys to decrypt the Locky virus are released. But if the ransom isn't paid, the key will supposedly disappear, and with it the encrypted files.

"These are sophisticated levels of encryption," Epstein said.

Proofpoint first observed the Locky ransomware on Feb. 16. While ransomware variants have appeared since 2015, Locky is different, as it's delivered by the same actor behind many of last year's Dridex phishing campaigns and spreads faster than any other virus out there, he said.

Cyber criminals will honor their "code" and release data after the payment, as it sets a precedent for future crimes, Epstein said, noting that some will even offer customer support to ensure the transaction goes smoothly.

And the organizations pay, as it's more cost effective than trying to rebuild a system, regain data or even maintain an institution's reputation.

However, protection against locky and other types of ransomware isn't such a smooth process.

"One of the simplest and yet hardest ways to protect against ransomware is two words: 'Don't click,'" Epstein said. "On the one side, it sounds simple. That said, we're innately curious beings and thousands of  years of evolution has rewarded curiosity."

"It's crucial to not rely on humans: We all will click," he added. "Statistically, everybody clicks."

It's simple to tell someone to go and do their work and avoid suspicious emails, but in the midst of a busy environment with hundreds of thousands of emails, it's hard to notice the one small, suspicious email slipped in, Epstein said.

[Like Healthcare IT News on Facebook]

He advises institutions to implement a security system that examines email and social traffic for suspicious activity to weed out what's hostile and other items that shouldn't go through to the inbox.

He warns, however, that "antispam won't help you, as it doesn't help with suspicious characters: You need a different layer of protection."

"There will absolutely be more attacks like this because these criminals are financially motivated, " Epstein said. "I personally don’t want to invoke the boogeyman; this isn’t about saying don’t touch a keyboard again. The goal is to not make it easy for a potential criminal; let's engage in the same degree of caution as with our personal property."

Twitter: @JessiefDavis

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.