Cybersecurity researchers at Cisco Talos have observed a surge in emails distributing Locky, with over 35 thousand emails sent in just a few hours. This surge in distribution is being attributed to the Necurs botnet, which until recently focused on spamming pump-and-dump stockmarket scams.
This time, however, the Locky campaign is harnessing an infection technique associated with the Dridex botnet, in an effort to boost the chance of compromising targets.
As noted by cybersecurity researchers at PhishMe, this new form of Locky begins by using a familiar tactic — a phishing email with an attached file the message claims is a document detailing a payment or scanned documents. But rather than the more common practice of attaching a compromised Office document, an infected-PDF is sent instead.
There is the constant struggle to protect as much as you can from these menaces, whilst keeping end users happy; unfortunately, a lot of users don’t see it as their problem or think it will never happen to them.
Sadly, I’ve been hit twice, once I was not prepared for it and it crippled me for about a week; thankfully backups got me up and running again, I just needed to locate the source of the infection and kill it before restoring, or it would have been pointless to do so. The second time I was prepared, and several attempts for the infection to kidnap my data was thwarted thanks to some cunning software.
No matter how many times you tell people not to open suspicious emails, they still strive head on, end users are just too inquisitive, they just need to open everything forgoing any rational thought or consequence.
I’d like to block every single attachment, but I can’t, so I block anything that is macro enabled or executable, and with PDFs once again being targeted it’s going to get much harder.
If it was down to me, I’d fine members of staff or get HR involved for disciplinaries, End Users need to take responsibility for the safety of the organisations’ data, as an I.T. Professional I can do my part (subject to funding), end users need to do theirs.