A key capability of Locky was ability to deactivate local antivirus which in this case it had most likely achieved as it was not detected. Once inside a network what ammeter was the speed of response and the ability to piece together the fragments of anomalous behaviour into a larger picture so that admins weren't overloaded with false positives, says Ollmann.
"It does take w while for network assets to be encrypted. You'll find it may be 10GB per half day that can be encrypted."
Ransomware explained - what's next?
All sorts of possibilities have popped into the minds of researchers, chief among them the idea of a large-scale ransom attack on a corporate in which attackers spend weeks or months penetrating a network in the manner of data breach attackers. Using stolen credentials, they map out not only valuable data stores (databases, code repositories, shares) but gain a detailed view of the backup routines and services. Worm-like ransomware would be used to spread the infection around a network before the detonation date.
"Once launched, the malware is more or less unstoppable. In the span of an hour, over 800 servers and 3,200 workstations are compromised; half the organization's digital assets, and the vast majority of the company's data are encrypted. Disaster Recovery mode is initiated, but the DR environment was also compromised due to shared credentials and poor segmentation," hypothesized Talos.
"The target is forced back into the 1980s: digital typewriters, notebooks, fax machines, post-it notes, paper checks and the like."
Such an attack could be launched for money, probably in the millions, but also conceivably for ideological reasons. In the latter case, a company might be asked to make a public statement.
It sounds far-fetched but only the most optimistic don't think it will come to pass at some point. The history of malware works this way: what can be imagined usually happens eventually. The weaker and less protected networks will be the first to succumb but as we now know that could in theory be almost anyone.
Sign up for MIS Asia eNewsletters.