Over the past few weeks the only source of Locky ransomware infections has been via spam campaigns, which distributed the Kovter click-fraud malware, as a primary source of Locky infections.
One of the latest Locky spam campaign has been witnessed by many experts, such as security firms Check Point and Avast, as well as the security researchers Kevin Beaumont, MalwareTech, etc.
According to the Check Point’s recent report on December’s most active malware families, Locky ransomware activity has gone down 81%.
Two months earlier, in October, Locky had been ranked as the top malware threat in the world, while in December, the parasite was not even in the top 10 infections.
You can see the same thing in a chart released by Avast. Despite not covering the last ten days, the chrat shows that Locky spam numbers have remained at the same low levels as over the holiday season.
The activity in the chart appears to be the Locky ransomware delivered as a second-stage download for Kovter campaigns.
Kovter is a click-fraud malware which infects computers and clicks on invisible ads on the user’s behalf. This malware has been around for years, though it started infecting a wider range of secondary payloads just a while ago.
Last January, Kovter downloaded and installed a proxy client on infected PCs, transforming infected hosts into proxy servers for the ProxyGate web proxy service. This let the Kovter creators make a side profit by routing web traffic through infected PCs, while also earning money from click-fraud – the threat’s main activity.
During the same month, Kovter also started distributing a version of the Nemucod ransomware, for which Fabian Wosar of Emsisoft had created a free decrypter.
Forced by the decrypter’s success, the Kovter developers switched to several ransomware variants in the next months, and settled on renting and distributing Locky ransomware starting with October, as part of an affiliate scheme, splitting the ransom payments with the Locky crew.
The security experts looking at Locky infections can easily track Locky infections distributed by the Kovter group by the affiliate IDs 23 and 24, found in Locky’s configuration file, present on every infected system.
A recent post by PhishMe researchers described the Kovter spam emails which has been distributing Locky ransomware over the past weeks. Currently, these spam emails are the only source of Locky infections.
It seems like the majority of these emails are coming from mailer scripts installed on compromised websites, such as the ones running Joomla.
In the past, most of the spam emails distributing Locky came from the spam sent out via Necurs, a botnet of PCs infected with the Necurs bootkit.
In 2015 Dridex was Necurs’ primary payload, however, over the course of 2016, the criminals behind the Necurs botnet had slowly phased out Dridex in favor of Locky, most likely due to the higher return they can get from ransomware infections, compared to bank fraud.
Presently, according to MalwareTech, the Necurs command and control servers are offline, so the only thing left for us is hoping they won’t go online again.