Security researchers are warning of a new strain of the Locky ransomware — the malware responsible for crippling networks at Methodist Hospital in Henderson, Ky., and King's Daughters' Health in Madison, Ind. — that can start encrypting files on a server even when the computer is offline, reports PC World.
Malware typically works by reaching a victim server, encrypting the files and generating two encryption keys for the infected computer, one public and one private. The malware then reports back to the attacker's server and hands over the public encryption key. The private key is what can decrypt the files once a user pays a ransom. This key never leaves the attackers' server, according to the report.
So, if a ransomware virus is blocked by a firewall or doesn't make the connection to the victim's command-and-control server because the computer is taken offline, the malware can often turn ineffective, according to the report.
However, the new strain of Locky doesn't need to make contact with the victim's command-and-control server to start encrypting files.
While this poses a new threat, security researchers report the malware will start encrypting files using a predefined public key that will be the same for all offline victims. Since the key is predefined, it will be the same for all victims. If one offline victim pays the ransom, any other victim can use the same key to decrypt files, according to the report.
More articles on ransomware:
ASC avoids ransomware payment by using backup files
HHS: Ransomware attacks considered breaches in most cases
California bill would make ransomware a felony