How It Works

In order to successfully lock down and encrypt files, Locky requires unique-for-each-infection public-private encryption key pairs generated by the C&C server. Here’s how the related sequence of events in the encryption routine goes down:

1. Locky generates a local encryption key that uses an AES, or Advanced Encryption Standard algorithm to encrypt files with selected extensions.
2. It then communicates with a C&C server, asking it to generate an RSA key pair for the now-infected system.
3. The public key is then sent back to the infected computer or device and used to encrypt the AES key from step 1. The private key, which is required to decrypt what the public key encrypted, remains on the C&C server and is the one you get when you pay the ransom in lieu of decrypting your files.

The Upside and Downside

Organizations that have network cutoff cyber defenses as damage control will be lucky if their IT network has fast response time, isolating the file encryption to only one computer. But those that aren’t fast on the draw will end up getting large parts – if not their entire IT network – infected with the Locky ransomware virus being distributed via aggressive spam and phishing campaigns right now. The upside? If you actually do pay the ransom and get the private key, that key will work to decrypt files on other networks and terminals if they are of the same Locky configuration, which means you have a free decryptor tool for any PCs or networks that become future victims of that strain. It also means that we could see a public free decryptor tool through open source means in the near future as well.

The post Locky Ransomware Encrypts Files Even When Computers Are Offline appeared first on Office 365.