The authors of the infamous Locky Ransomware have decides to completely forsake their JavaScript-based distribution method. According to researchers, since the beginning of June, Locky has been spread via malicious Microsoft Office documents with the “DOCM” file extension.
Ever since its appearance on the ransomware stage, Locky was known to use JavaScript files hidden inside a ZIP file, which was sent to targeted users as a spam message.
However, the developers seem to have changed their tactics. According to FireEye, the cyber gang is currently relying on macro scripts attached to MS office files with “DOCM” extension. The macro script is executed when the victim allows “enabling editing” in an open document. Then the script connects to an online server, downloads and installs the ransomware.
This new Locky spam wave is not targeting just one or two specific areas, notes FireEye. Clearly, there are some countries which were more affected than others, but the ransomware appears to be globally oriented attacking users from all over the world.
Statistics from the first half of this month show that the most spammed users are located in the US, Japan, Thailand, Singapore and the Korean Republic. As regards to which sector experienced most of the spam attacks, researchers say, it is, with no doubt, the healthcare industry. This doesn’t come as a surprise given the fact that in the latest cases, the health institutions gave up in the end, and paid the ransoms. Other affected sectors are the transportation, manufacturing, telecom field and general services.
While Locky is currently using its new spreading method, researchers noticed that the Dridex distribution has stopped in the meantime. For a while now, expert have known that the Locky`s gang is using the same C&C server as the authors of the Dridex Banking Trojan. However, the Dridex distribution appears to have stopped completely, FireEye says.
Dridex was known for using MS Office docs and macro scripts to hit users, just like what Locky does.
The new Locky spam spreading campaigns are using different payloads for each spam wave, but FireEye has managed to find something in common anyway. It only confirms that the people behind the ransomware are professionals and shows how they managed to continue operating for years without being detected.
