Locky, an emerging ransomware threat that first burst on the scene in February, has already started to mutate and morph into new variants. The changes come just as researchers observe a fresh spike in propagation.
Locky is distributed via email attachments, specifically Word documents disguised as invoices. The docs contain macros which download and install the ransomware. When originally discovered, the botnet behind the spam mail was found to be the same as that which delivers the majority of emails containing the infamous Dridex trojan. Locky is also spread via exploit kits.
As for the ransomware itself, Locky encrypts files based on their extension, and replaces the desktop background with the ransom message. Victims are told to visit one of a choice of .onion or tor2web links to buy Bitcoin, send them to a specific address, and wait for their decryptor download.
According to Check Point researchers, new characteristics related to Locky’s communication have now been observed in the wild, as a part of a new distribution campaign. Initially, Locky’s communication mechanism was well known across the community for displaying a particular communication pattern; however, since March 22, Check Point said that it has encountered a major drop in logs.
“Assuming that Locky probably didn’t go silent all of a sudden, we tried to actively uncover changes in its activity and discover new findings,” the researchers said in a short analysis. At first, a change in headers was uncovered, and then the communication path changed a second time.
“In the midst of our ongoing research of exploit kits, we encountered a second change in the Locky variant delivered by the Nuclear EK,” researchers said. “This time the changes were more drastic, both in the downloader dropped by the EK, and in the C&C key exchange protocol.”
At the same time, FireEye Labs is detecting a significant spike in Locky ransomware downloaders due to a pair of concurrent email spam campaigns impacting users in over 50 countries. The US, Japan and South Korea are the most-affected.
“Prior to Locky’s emergence in February 2016, Dridex was known to be responsible for a relatively higher volume of email spam campaigns,” FireEye researchers said. “However, as shown in Figure 3, we can see that Locky is catching up with Dridex’s spam activities. This is especially true for this week, as we are seeing more Locky-related spam themes than Dridex. On top of that, we also are seeing Dridex and Locky running campaigns on the same day, which resulted in an abnormal detection spike.”
Photo © Ton Snpei