The notorious Locky ransomware has recently received an update and it is currently relying on DLL files for its distribution instead of the classic EXE binaries.
This particular ransomware has experienced more changes than any other. This is because it was created by the same cybercriminal gang, which is behind the famous Dridex banking Trojan and which owns one of the most active botnets on the Internet.
For Locky`s creators, there is no such thing as “meager means”. They have the time and the knowledge and, at most importantly, they can afford to regularly update and evolve their threat with the newest techniques so it stays under the radar.
One of the latest updates Locky received has to do with the way it is being spread and how the encryption process starts. The Cyren security company reports that recent Locky variants are being delivered as disguised DLL files instead of EXE binaries.
The infection process, however, remains the same. Locky arrives at its destination via spam emails with a ZIP file attached. Once unzipped, this file drops a JavaScript file, which downloads the DLL file when it is executed. The file encryption process starts when the DLL file is injected into a process and its malicious code is executed. Another upgrade is that the DLL file relies on custom packer which makes it hard to be detected.
The encrypted files have the “.zepto” extension appended at the end, meaning this Locky version is a member of the Zepto ransomware family. Zepto is just another name for Locky, but it is still the Locky ransomware.
As mentioned, Locky has morphed numerous times over the years. For instance, Locky spam using Office documents and WSF files instead of ZIP & JS files has increased. Other versions have leveraged websites with vulnerable PHP forms to send the spam messages, instead of the, mostly used by the creators, botnets. Another Locky strain was designed to not need an Internet connection to work but its encryption algorithm was quite weak.
At the end of the previous month, Locky`s authors tried to embed an entire ransomware binary in a single JavaScript file and then reconstructing the EXE file when executing the JS file, instead of downloading it from an online server.
Thanks to these non-stopping improvements, Locky haw always managed to keep security experts on their toes. It was always one step ahead and that’s why it took them so long to finally create a decryptor.
