Crypto viruses such as Locky are currently a hot topic in IT security. Why are they so dangerous, how can companies protect themselves against them, and what measures do security providers such as Hornetsecurity take to provide users optimal protection for their users? We have asked Daniel Hofmann a few questions in order to shed some light on the subject.   The Locky virus has been on everyone’s lips recently: What is it actually all about and what makes it so dangerous?   The Locky virus, as it is currently in circulation, has existed in a similar form since the beginning of December. It is actually an Office document attached to emails which contains a macro that runs when the recipient opens the file. The first macro viruses in circulation were online banking Trojans that diverted payments to foreign accounts. This current wave of viruses encrypts the entire contents of the hard drive, as well as network drives and even backups. The virus is dangerous because the carrier email looks very professional and it is quite difficult to tell whether or not it is a genuine email. The content of the email informs the recipient, for example, that he has an unpaid bill. If the recipient then opens the document, the macro is immediately activated and encrypts the computer’s contents. If the victim wants to have his data decoded again, he is asked to pay a ransom. In principle, I do not recommend doing so however, because it is not certain whether the victim will actually be given the decryption code at all.   How was it possible for this pest to spread so much and cause so much damage?   What makes this type of virus special is that the attackers develop 2 to 3 new varieties daily. The virus developers test these viruses against common virus scanners until they are no longer detected by them. They then send the virus. In doing so, the malware specialists ensure the virus is sent quickly and compactly, with the regional aspect also playing an important role: the virus mails are coordinated with local time zones and languages, with the emails supposedly being sent by a company that the recipient already knows. Such emails are usually sent during the day from Monday to Thursday. If you take a look at the currently circulating macro viruses, it is evident that this is the work of a group that has very professionally planned the entire cycle, from development to delivery through to payment settlement. For those who are willing to pay, the group even offers a live chat!   What should users and businesses generally look out for in order to best protect themselves from malware such as Locky and the like?   There are several measures you should regularly take in order to protect yourself from such attacks. First of all, every user and every company should always carry out the latest software updates. It also make sense to carry out a regular backup, either on an external storage medium or to a cloud storage service (like Hornetdrive) offering versioning, which allows previous versions of a file to be recovered. The main gateways for malware – emails and the Internet – must be protected with a reputable and efficient spam filtering and web filtering service. Finally, however, the users themselves also have a responsibility and should check each email critically to see whether the sender is genuine and what kind of attachments are included in the email. An email should always be deleted if in doubt.   Can Hornetsecurity detect and filter out Locky and if so, how?   In early December, when the first macro virus attacks began, we immediately developed new filtering methods. This required a whole package of measures: We thus developed seven to eight virus scanning methods that are specifically focused on Office documents containing macros. The scanners use various reputation mechanisms to determine whether it is a harmless or a malicious macro. This is done automatically and within seconds. If malicious code is found, the filters are automatically adapted so that no further macro viruses can slip through the filter systems.   How do the Hornetsecurity virus filters work in general?   Our virus scanners are under constant development. We have now developed a total of 18 different virus scanners that check email traffic. This number is growing continuously, with several new ones being added each year. We also have – as is now the case for the macro viruses as well – specialized scanners for different attack scenarios and types of attack. One of them, for example, searches for compromized files, while others analyze weblinks via which viruses can be subsequently downloaded. Where the attacks originate from, whether links lead to well-known or blacklisted websites, etc., also plays a role. We are also working with well-known anti-virus vendors to ensure detection of already known viruses.   To get a rough idea – How many new virus signatures do the filters detect per day?   This varies greatly. There are days where we register only a few new variants and other days where there are several thousand. In the past three months, the average has been about 400 new virus variants per day, with the record being 2732 new types of viruses that our filters had to detect and filter out.   What happens when there is a major virus attack?   Our system automatically makes permanent adaptations to individual filter rules in a matter of seconds whilst the system continues to operate. In addition, automatic functions monitor the performance of the filter in catching viruses, based on the response time between detection and creation of a filter rule. If this time is exceeded, for example, during a virus wave, our security experts intervene manually. They immediately perform a deep analysis, optimize the automatic detection or use new filtering tools, until the response time has fallen back to the desired value.   How can new viruses be detected at all?   The fastest and best way this works is via our honeypots, i.e. certain email addresses that serve only one purpose, namely to capture spam and virus mails. We evaluate these around the clock. Our systems also respond to certain types of email and evaluate them automatically before we even know that it is a malicious email. An assessment is carried out based on the “behavior” of an email or attachment, i.e. whether it wants to execute a shellcode on the system or download files from the Internet. Other criteria include the frequency of the email or whether it comes from different senders.