A huge Locky Ransomware wave was recently noticed targeting primarily healthcare institutions.
According to FireEye`s researchers, the payloads are delivered via macro-enabled Office 2007 Word documents with “.DOCM” extension. The ones to experience most of the attacks are American hospitals closely followed by Japanese, Korean and Thai, FireEye says.
The researcher Ronghwa Chong says that the Locky`s authors seem to have abandoned their previous tactic where Locky was mostly spread via spam campaigns and the payload was delivered via malicious JavaScript attachments. Currently, they are relying on the macro script distribution method.
“These detection spikes and change in tactics suggest that the cybercriminals are investing more to infect systems and maximize their profits.” – Chong said – “Additionally, we have observed that the delivery of Dridex via this distribution channel seems to have stopped, or nearly so, which could explain why we are seeing the Locky uptick.”
In June, security experts from Proofpoint noticed a small increase in the Dridex Banking Trojan distribution as well as a new Locky ransomware variant propagated via the not recently used Necurs botnet.
A deeper analysis of the Locky`s network patter, its spoofed email messages and the DOCM attachment allowed the experts to find a clear connection between huge spam waves launched by attackers this month. The connection distinctly shows coordinated efforts by single or multiple attackers.
“Each email campaign has a specific ‘one-off’ campaign code that is used to download the Locky ransomware payload from the malicious malware server.” – Chong noted.
Researchers also noted a malicious URL attached to the Locky macro code that is encoded using an identical encoding function that varies by a specific key for each campaign.
Even though the healthcare sector was Locky`s main target, it wasn’t the only one. Telecom, transportation and manufacturing industries were also hard hit by the new wave.
The Locky Ransomware is famous for one of its most successful attacks in February this year. It was against the Hollywood Presbyterian Medical Center in California and the hospital had to pay a $17,000 ransom to get its files.
Security researchers say that cybercriminals have marked hospitals as very profitable targets mostly because of their outdated security procedures combined with a lot of valuable information.
Meanwhile, during the last couple of months, Locky`s non-stopping activity made it number 1 malware threat, Proofpoint reports. They also say that Locky is responsible for 69% of all email attacks in Q2 in which malicious attachments were used.
“This is a 45 percent increase over Q1 for Locky alone.” Proofpoint said.
“The volume of Locky ransomware downloaders is increasing and the tools and techniques being used in campaigns are constantly changing. In this instance, we are seeing a shift from using a JavaScript based downloader to infect victims to using the DOCM format. On top of that, cybercrime trends have shown that attackers are distributing more ransomware these days than banking Trojans, as the former appears to be more lucrative.” – Chong added.
