Cybersecurity Alert - Locky Ransomware Infections Caused By JavaScript Attachments

April 7, 2016

Threat Summary

Locky ransomware, which encrypts users' files and demands bitcoin payments in return for decryption, has recently started using JavaScript (.js) attachments as a more common distribution mechanism.

Locky is received as an email phishing attachment, often claiming to be an invoice requiring payment. The JavaScript attachment installs ransomware immediately upon opening and encrypts the user's files. This distribution mechanism appears to currently be more popular than the macro-containing Microsoft® Word® and Microsoft Excel® attachments that we previously alerted on. Read more information about Locky communication patterns here.

ACA Aponix Recommendations

ACA Aponix recommends taking the following precautionary measures to prevent ransomware threats:

  • To the extent possible, block inbound .js attachments. ACA Aponix can assist in testing that .js attachments, among many other potentially dangerous attachment types, are blocked by running our email filter test.
  • Ensure anti-virus software is up-to-date, though most anti-virus software is not capable of detecting quickly changing Locky variants.
  • Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location, ideally offline and/or WORM-compliant. Backup copies of sensitive data should not be readily accessible from local networks.
  • Check links contained in e-mails by hovering over them before clicking, and do not open attachments included in unsolicited e-mails.
  • Only download software–especially free software–from sites you know and trust.
  • Enable automated patch installations for your operating system and Web browser.

Please reach out to us if you have any questions: