Locky ransomware is on the move again. According to Cisco Talos experts, the malware is distributed by Necurs botnet via fake invoices, being part of a brand new spam campaign.
In 2016, the Necurs botnet was tightly connected to Locky’s position on the top of the ransomware charts. After several months of absence, Necurs showed up again in April, this year, though, distributing Locky for a few weeks only.
On May 12, 2017 the Necurs botnet started spreading out the Jaff ransomware, which was closely connected to Locky, due to the fact that one and the same actor operated both ransomware families.
However, researchers from Kaspersky Lab have recently found some vulnerabilities in Jaff ransomware and created a decryptor for it, letting the victims decrypt their files for free. Despite the three versions of Jaff which have been registered so far, the decryption tool would still work for any of them.
Obviously, the release of the decryptor took the Jaff virus out of the game, and now Necurs is betting on Locky again. The spam emails pushing the ransomware feature a double-zipped archive with an .exe file inside.
Nevertheless the main difference between the previous and the latest Necurs-driven campaigns is that the old ones used subjects like payment receipts, order confirmations, and business documents, while the new ones are sent as fake invoices.
According to Talos, the latest Locky campaign features a huge volume of spam – during the first hour it accounted for around 7% of the email volume registered by one of the company’s systems. Later on, the volume has decreased, however, the campaign is still active.
The spam campaign uses the same affiliate ID as the previous one, though, it looks like the ransomware itself has been modified. One of its new features is the prevention from encrypting data on systems running under operating systems more recent than Windows XP. Another interesing aspect of the new campaign is the command and control (C&C) URL structure:
“Adversaries behind this latest Locky campaign have reused the /checkupdate path as part of the URL structure — the same URL structure found in previous Locky campaigns. This is perhaps another indication that adversaries were hasty in their developing and distributing this campaign.” the security experts stated.
Talos researchers think that the operators of Locky are probably aware of the current issues with the ransomware, and an updated version of the malware will be released in the nearest future. However, at this point the Locky sample which Necurs distributes, is capable of encrypting Windows XP systems only.
“It’s always risky clicking on links or opening attachments in strange email messages. Users that fail to heed this advice can easily become ransomware victims, and if the subsequent ransom is paid, the monies will no doubt fund another round of attacks. As always, organizations are encouraged to make regular backups of their data, practice restoring said data, and store backups offline far out of the reach of potential criminals,” Talos experts explained.