On September 1, executives of a leading publishing house approached the Delhi police. They were in crisis: all files on more than 150 computers across their offices in Delhi, Mumbai and Bengaluru, connected to a common server, were encrypted by a malware. To decrypt the files, the malware demanded ransom, the police said.

The publishing house had fallen victim to the Locky ransomware campaign, which cyber security experts believe has affected millions of computer systems in over 70 countries in the past month.

Malware is a programme designed to disrupt, damage or gain authorised access to a computer system. When used for ransom, the programme is called ransomware. Locky is the third major global ransomware campaign in the past five months after WannaCry and Petya. And like its predecessors, Locky wants the ransom paid in the digital currency Bitcoin.

The publishing house was told to pay half a Bitcoin per computer to unlock the encrypted files. The total amount came to around Rs 2 crore, said an official in Delhi police’s Crime Branch who asked not to be identified. “This is believed to be the first reported case of the Locky ransomware attack in India.”

On September 10, a Bitcoin was valued at Rs 2,66,437 on websites that keep track of the virtual currency market. The Bitcoin’s value rose exponentially earlier this year after Japan became the first country to legitimise Bitcoin transactions from April 1, 2017, and Russia announced it was mulling over regulating the currency. While some countries such as India and the United States do not approve of Bitcoin, many nations are yet to declare an official position.

Fighting the infection

On September 2, the Government of India’s Computer Emergency Response Team issued an advisory on Locky, calling it a massive spam campaign and specifying a list of Dos and Don’ts for computer users.

“It has been reported that a new wave of spam mails are circulating with common [subject texts] to spread variants of Locky Ransomware. Reports indicate that over 23 million messages have been sent in this campaign. The messages contain common subjects like ‘please print’, ‘documents’, ‘photo’, ‘images’, ‘scans’ and ‘pictures’.  However, the subject texts may change in targeted spear phishing campaigns…Users are advised to exercise caution while opening emails and organisations are advised to deploy anti-spam solutions and update spam block lists.”    

Some emails, the advisory explains, may be for “Dropbox verification”. Attached with the emails is a zip file carrying the malware written in Visual Basic Script. Once the file is clicked, the script downloads the latest version of Locky.

In Delhi, the next victim after the publishing house to approach the police was a finance company. In this case, though, fewer computers were affected. By September 6, at least four more complaints were received. “The operations of the victim companies have literally stopped,” the Crime Branch official said. “The documents are still blocked. We have taken help of cyber security experts to decrypt the files and to find the source of the ransomware.”

In most of the cases the Delhi police are dealing with, the victims were using customised email services without updated anti-spam and anti-malware filters. “So far, teams of cyber experts have tried thousands of decryption applications, available on the internet but nothing seems to have worked,” the official said.

Back from the dead

“There is something unprecedented about Locky,” said Kislay Chaudhary, a cyber security consultant to several government agencies. “It is the first such ransomware that has struck for the second time. And it has returned bigger and better as far as the impact is considered.”

Locky was among the three most widely distributed pieces of malware in 2016, along with Cryptowall and Cerber. However, in 2017, despite a spike in ransomware attacks, Locky was largely quiet. In fact, it was believed to be dead. That was until August 9, when it made a dramatic return, according to the British technology website Inquirer.

“Unlike its older version, the new Locky is self-replicating and can spread through the entire computer network if it succeeds in penetrating any of the computers connected to that network,” Chaudhary said. “India has always been a prime target of global cyber attacks. It is high time the Indian government, corporates and institutes invest in cyber security and be better prepared for more such attacks.”

The Cyber Peace Foundation, which works with several government agencies including the Computer Emergency Response Team, has estimated the number of Locky victims in the country at between 101 and 300. Since it only counted victims who have complained to the police or asked cyber security experts for help, the actual number of victims could be much higher.