Locky Ransomware Hits Indian CompaniesEight Firms Reportedly Tell Authorities They've Been Victims of the Malware
"Most of the affected firms are mid-sized firms and their view about security is very narrow," Kislay Chaudhary, chairman of the Indian Cyber Army, an association of ethical hackers, tells Information Security Media Group. "During my interaction with these affected firms, I realized that they have outsourced their security to a third party and have no clue what practices need to be put in place," Chaudhary says.
The strains of Locky hitting Indian firms have installed ransom notes on victims' PCs demanding between 0.5 and 1 bitcoin - currently worth $2,250 to $4,500 - to unlock encrypted data, according to news reports.
Delhi Police did not immediately reply to ISMG's request for comment.
Some experts say far more than eight companies have likely been affected by Locky in India.
"So many of the cases have still not been reported. The number of such attack cases surely [is] much higher than it appears," says Rohan Vibhandik, scientist, cyber intelligence research center at ABB.
Police have difficulty cracking down on criminals using ransomware, security experts say. "Even if one manages to trace the source of such attacks, these criminals often operate from countries or geographical boundaries which are beyond police radar. There is no common international cyber law which makes it difficult to crack such cases," says Muktesh Chander, director general of Goa Police.
Various organizations, including CERT-In and Kerala Police Cyberdome, have issued alerts, warning that spam is being used to spread the ransomware.
"It has been reported that a new wave of spam mails are circulating to spread variants of Locky ransomware. Reports indicate that over 23 million messages have been sent in this campaign," CERT-In noted on its website. "The message contains common subjects like please print, documents, photo, images, scans and pictures."
The ransomware encrypts the contents of a computer or server and demands bitcoin payment to unlock it.
Bombay Stock Exchange, or BSE, has asked its trading members and listed firms to take preventive measures to protect their computer networks from the malware.
In a notice, the exchange advised users and administrators of computer systems used by listed companies as well as brokers to perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process.
"Keep the operating system third party applications (MS office, browsers, browser plugins) up to date with the latest patches," BSE advised.
Maintenance of updated anti-virus software on all systems, implementing personal firewalls on workstations and implementing strict external device (USB drive) usage policies have also been suggested.
"Listed companies and registered members of the exchange are advised to inform the exchange [of] any impact due to Locky Ransomware on their systems or systems of the stock brokers, clearing members and depository participants," BSE noted. Members can submit the details through an interface to the BSE Electronic Filing System.
Security practitioners say using outdated operating systems or neglecting to implement proper backup procedures makes companies more vulnerable to ransomware attacks. For instance, one of the companies attacked by Locky - and investigated by Chaudhary - was storing its backups on in its servers. "Locky has affected their server so essentially their exercise of having a backup was a failure," Chaudhary says. "They should have backed up their data on [the] cloud."
Prashant Pandey, founder and chief knowledge officer at Kratikal Tech, notes: "At a time when a majority of government institutions, defense establishments and critical infrastructure services are run on obsolete OS and using stale applications, attacks like this really shouldn't surprise anyone. A majority of banks, and particularly ATMs, still run on Windows XP. SMEs are ill-equipped and uneducated about basic security controls that can be implemented to secure their IT infrastructure."
ABB's Vibhandik says attackers often use low-tech social engineering techniques to lure victims into executing ransomware. "Spam emails are generally sent out with email messages and attachments saying 'your MS account is about to expire' or 'need urgent attention, find the receipt of payment below' and so on," he says. "Such kinds of socially engineered messages quickly attract the user and makes him [likely] to open an attachment and then the attack is successfully deployed," potentially also bypassing any security products the user may have installed.
Kratikal Tech's Pandey advises small and midsize companies to deploy low-cost firewalls and an intrusion detection system to help guard against malware attacks.
"A basic compliance [program] monitoring against international standards like ISO 27001, COBIT or SOX can also be useful for them," he says. "If nothing else, basic security training of all the tech/non-tech employees of the organization, to educate them about the latest threats in the cyber world, can also be beneficial for the organization as a whole."