Although Locky quieted down in late 2016, according to researchers at Cisco Talos, Locky is perking up again in 2017 in a major way. Only this time, instead of using phishing email schemes that used attached Word documents, the attackers are now using PDF files. When the user opens the PDF, the PDF contains an embedded Word document, which the user is asked to open. When the user opens the Word document, the user is told that the document is protected, and that macros need to be enabled to view the document. When the macros are installed by the user, the ransomware is downloaded.
The scary thing about this new delivery method is that most employees now know not to open attachments or click links in emails from unknown individuals. But by using the PDF format, employees may not be as suspicious, and may open the PDF. Then when it looks like the document is protected (which could easily be mistaken as “encrypted”), the user believes s/he is using special precaution and abiding by good security measures. But the user is being duped into downloading the ransomware by thinking s/he is doing the right thing.
This is very frustrating for those of us who are working hard to educate employees on good security practices and protect them and companies from becoming victims.
The hackers will continue to get more and more creative, and keeping up with their creativity is exhausting. In this case, let your employees know about this new campaign, and empower them to ask questions, and to be vigilant and highly suspicious.