Despite the fact that Locky ransomware appeared for the first time this February, it has already started to mutate and morph into new variants. Malware researchers noted the changes while observing a fresh spike in propagation.
Similarly to many other malicious threats, Locky is distributed via email attachments, specifically Word documents disguised as invoices. These docs contain macros which download and install the ransomware. At the time when these were originally discovered, the botnet behind the spam mail was found to be the same as that which delivers the majority of emails containing the infamous Dridex trojan.
Another method of distributing Locky ransomware is via exploit kits.
What actually Locky does is encrypting files based on their extension, and replacing the desktop background with a message for ransom. The victims of the ransomware are told to visit one of a choice of .onion or tor2web links to buy Bitcoin, send them to a specific address, and wait for their decryptor download.
According to Check Point researchers, some new characteristics have already been added to Locky. At first, Locky’s communication mechanism was well known across the community for displaying a particular communication pattern, however, since March 22, the researchers said that it has encountered a major drop in logs.
“Assuming that Locky probably didn’t go silent all of a sudden, we tried to actively uncover changes in its activity and discover new findings,” the researchers explained. “At first, a change in headers was uncovered, and then the communication path changed a second time.”
“In the midst of our ongoing research of exploit kits, we encountered a second change in the Locky variant delivered by the Nuclear EK,” the experts stated. “This time the changes were more drastic, both in the downloader dropped by the EK, and in the C&C key exchange protocol.”
Meanwhile, there is a significant spike in Locky ransomware downloaders due to a pair of concurrent email spam campaigns impacting users in over 50 countries. Currently, USA, Japan and South Korea are the most-affected.
“Prior to Locky’s emergence in February 2016, Dridex was known to be responsible for a relatively higher volume of email spam campaigns,” the Check Point researchers said.
“However, Locky is catching up with Dridex’s spam activities. This is especially true for this week, as we are seeing more Locky-related spam themes than Dridex. On top of that, we also are seeing Dridex and Locky running campaigns on the same day, which resulted in an abnormal detection spike.”
