The Crypto Trojan Locky is raging in Germany: About 5,000 infections per hour

Orig source: (german)

The new ransomware Locky finds apparently masse amounts of victims right here in Germany, including the renowned Fraunhofer Institute. Meanwhile, the perpetrators have taught themselves German to make it even more plausible.

The blackmail Trojans Locky spreads especially in Germany rapidly: About 5,000 new infections per hour the security researcher Kevin Beaumont said. Only at some distance followed by the Netherlands and the United States in the list of countries most affected. Beaumont successfully managed to plug himself into the data stream of the ransomware, by registering one of the domains under which Locky tries its command-and-control servers to contact.

Blackmail Trojans Locky speaks German
If one has been infected by Locky, the ransomware will leave a clear message on your desktop.

Locky speaks German

Meanwhile Locky developers have taught themselves German. If you have been infected in Germany, the crypto Trojans now displays a perfectly written German blackmail letter. The Windows based Trojan will even change the Windows desktop background image after encrypting all your data, underlining the demand significantly.

Fraunhofer-Institut infected

One of the victims in this country has been according to dpa information the renowned Fraunhofer Institute in Bayreuth. There Locky encrypted the files on a central server on Wednesday afternoon and made it unusable. This resulted in the failure of about 60 PC’s and workstations. An IT expert of the Institute suggested that the Trojan malwareis managed via one of the workstations in the network.

Network shares and cloud storage

The blackmail Trojans Locky encrypted not only files on the infected computer, but also everything that was reached over the network. According BleepingComputer the Trojan even reached network shares that were not currently connected to the system. Locky doesn’t even stops before cloud storage: When the folders of infected computer have been synced into the cloud, the online stored originals of the files are automatically replaced with the encrypted versions.

Tried Locky Decryptor

Nach wie vor ist kein Weg bekannt, die verschlüsselten Dateien ohne Zahlung des Lösegelds zu retten. heise Security liegt eine Version des kostenpflichtigen Entchlüsselungs-Tools der Täter vor. Es kann anscheinend lediglich jene Dateien dechiffrieren, die auf dem System des zahlenden Nutzers verschlüsselt wurden. Wer sich vor digtalen Geiselnahme schützen will, sollte regelmäßig Backups aller wichtigen Dateien anlegen – an einem Ort, den ein Trojaner möglichst schwer erreichen kann. Geeignet ist etwa ine USB-Festplatte, die man nur bei Bedarf mit dem Rechner verbindet.

At the moment there is no way to encrypted files without the ransom payment. heise Security has one of the fee-based decryption tools of the perpetrators, but It appears that you can only decrypt those files that have been encrypted on the paying user's system. Anyone who wants to protect themselves against the digital Hostages, should regularly make backups of their important files - in one place, to which the Trojan can’t reach easily. Using an external USB hard drive, that you only connect to your computer when needed, will lower the risk of losing all your data at once.

Hazardous Office documents

Locky is currently mainly spread by e-mail. There are mostly fictitious invoices, which should arouse the curiosity of the recipient. The annex contains an Office document with a macro code that triggers the infection. The distribution is being driven currently dramatically: Luxembourg CERT has received on a there honeypot within half an hour 500 mails with infected Excel files. In addition, online crooks spread the blackmail Trojans through exploit kits such as neutrino. Exploit kits try to install malware via vulnerabilities in browser and installed to spread as Flash plug-ins. Anyone who wants to protect itself from such attacks, should maintain an up-to-date patch level.