One characteristic of Locky ransomware is that seeks to neutralize shadow copies of files, such as incremental backups of Word files. “It erases local backup so you pay the ransom,” he says. Hiding these backups in .sys folders can prevent their being encrypted or at least delay it because .sys folders are low on the list of places the malware looks for files to encrypt, he says. Files that escape encryption this way may be sufficient so the owners of the victim machine feel they don’t need to pay ransom to salvage all the files that were encrypted, he says.
He’s also come up with a CryptoLocker ransomware simulator that runs in a production machines without actually encrypting files, but otherwise acting exactly like CryptoLocker. That reveals to security pros what would be vulnerable if the ransomware actually infected corporate machines. That way they can take steps to correct the weaknesses and reduce some of the potential damage from actual ransomware.
He says such simulators could be written for CryptoLocker, CrykptoWall, Locky and SAMSAM, which would represent more than 75% of ransomware that has actually infected machines.
Sign up for CIO Asia eNewsletters.