April 6, 2016 By Larry Loeb 2 min read

The Locky ransomware has historically spread via malicious macros attached to spam emails. That method seems poised to change drastically.

First observed in mid-February, Locky needed only two weeks to become, according to SecurityWeek, the second most popular ransomware, accounting for 16.47 percent of all ransomware attacks. CryptoWall was the top ransomware with 83.45 percent of the total 18.6 million hits collected between Feb. 17 and Mar. 2.

Changes Emerge for the Locky Variant

Trustwave’s Rodel Mendrez reported that a massive spam campaign with 4 million messages was noticed in early March. It was being mounted by a Dridex botnet, sending up to 200,000 messages an hour.

The initial malware changed from an Office macro to a JavaScript attachment in an attempt to evade detection. Not only that, but the payload the malware downloaded from a command-and-control (C&C) server changed: The JavaScript-based malware was downloading the Locky ransomware.

Check Point Software noticed that things recently changed yet again. A new Locky variant showed a change in the communication patterns it used. Content-Type and User-Agent were included right after the POST header in requests to the C&C server. This means that the host relative position is no longer directly after the POST header.

It Doesn’t Stop There

Trustwave also found that another Locky variant was included in the Nuclear exploit kit (EK) with additional communication changes. After the downloader dropped by the EK sent a request to the C&C server, it responded with the Locky variant. This included a new method of getting the encryption keys from the C&C server.

Spreading the malware via both spam campaigns and EKs increased the odds of successful infections. The changes in communication and methods of encoding the downloader are being done to avoid signature-based detection methods.

Check Point researchers showed 10 different Locky downloader variants. Each tried to avoid detection by hiding the Locky payload in different file types. Meanwhile, the spam that contained the poisoned links would usually claim to be an invoice attachment.

There have been attempts to create a malware vaccine, but not opening unknown links in messages may be the most effective prevention available.

More from

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today