Light Dark
April 6, 2016 By Larry Loeb 2 min read

The Locky ransomware has historically spread via malicious macros attached to spam emails. That method seems poised to change drastically.

First observed in mid-February, Locky needed only two weeks to become, according to SecurityWeek, the second most popular ransomware, accounting for 16.47 percent of all ransomware attacks. CryptoWall was the top ransomware with 83.45 percent of the total 18.6 million hits collected between Feb. 17 and Mar. 2.

Changes Emerge for the Locky Variant

Trustwave’s Rodel Mendrez reported that a massive spam campaign with 4 million messages was noticed in early March. It was being mounted by a Dridex botnet, sending up to 200,000 messages an hour.

The initial malware changed from an Office macro to a JavaScript attachment in an attempt to evade detection. Not only that, but the payload the malware downloaded from a command-and-control (C&C) server changed: The JavaScript-based malware was downloading the Locky ransomware.

Check Point Software noticed that things recently changed yet again. A new Locky variant showed a change in the communication patterns it used. Content-Type and User-Agent were included right after the POST header in requests to the C&C server. This means that the host relative position is no longer directly after the POST header.

It Doesn’t Stop There

Trustwave also found that another Locky variant was included in the Nuclear exploit kit (EK) with additional communication changes. After the downloader dropped by the EK sent a request to the C&C server, it responded with the Locky variant. This included a new method of getting the encryption keys from the C&C server.

Spreading the malware via both spam campaigns and EKs increased the odds of successful infections. The changes in communication and methods of encoding the downloader are being done to avoid signature-based detection methods.

Check Point researchers showed 10 different Locky downloader variants. Each tried to avoid detection by hiding the Locky payload in different file types. Meanwhile, the spam that contained the poisoned links would usually claim to be an invoice attachment.

There have been attempts to create a malware vaccine, but not opening unknown links in messages may be the most effective prevention available.

 |  |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from

December 18, 2024

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

December 17, 2024

Testing the limits of generative AI: How red teaming exposes vulnerabilities in AI models

4 min read - With generative artificial intelligence (gen AI) on the frontlines of information security, red teams play an essential role in identifying vulnerabilities that others can overlook.With the average cost of a data breach reaching an all-time high of $4.88 million in 2024, businesses need to know exactly where their vulnerabilities lie. Given the remarkable pace at which they’re adopting gen AI, there’s a good chance that some of those vulnerabilities lie in AI models themselves — or the data used to…

December 16, 2024

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature