Chemical Safety Incidents
Ransomware Works Offline
Friday, July 15, 2016 @ 03:07 PM gHale
Locky ransomware developers boosted operations and distributed hundreds of thousands of spam emails that installs a new version.
The catch is this version can work without an Internet connection.
The group behind this ransomware sent out 120,000 spam email messages every hour in two massive surges of activity, said Finnish security firm F-Secure.
Meanwhile, a second set of researchers discovered a new Locky version that can work in “offline mode.”
Avira researchers detected this new variant on July 12, the same day when the spam surge happened, but they reported independently of F-Secure, so it is not officially confirmed the spam wave delivered the new variant.
This new Locky version is very different from past Locky variants, which needed an Internet connection to start the encryption process. Because of this, network administrators discovered by shutting down Internet access to a company when they detected one Locky infection, they could also stop subsequent computers from being compromised.
Locky’s authors addressed this issue and have now created a variant that can work around this limitation, albeit using a weaker encryption method.
“(Locky’s offline mode) makes it tougher to block,” said Avira’s Lyle Frink. “But, this new variant may have the weakness that once someone has paid the ransom for their private key ID — it should be possible to reuse the same key for other victims with the same public key.”
This comes in handy to corporate environments, where Locky’s authors a ask for more money than usual, just because they managed to infect a computer holding more precious data.
Victims can pull the computer from the enterprise network, reinfect it, pay the ransom, and then use the decrypter to recover the files at a lower price.
This is possible because the Locky offline version generates the same ID per computer, unlike its online version that generates different IDs per infection, not per computer.