Malware analysts from British software company My Online Security have issued a warning about a new spam wave. The campaign in question spreads Locky ransomware, a well-known artist from the malware ranks. After a brief hiatus, the developers of the infection have launched a new campaign. It distributes the last known version of the virus which has already been detected before.
The spam emails use a classic deceptive pattern. They talk about an important matter and refer to an attached file for further details. The topic of this spam wave is receipts. The subject line lists a brief description. The title of the message includes the word “receipt” or “payment” and an identification number. By providing scarce information, the sender provokes the recipient to open the document in order to find out more.
The file itself does not state what the receipt is about. The title of the attachment consists of a single alphabet and an identification number. Further details are purposely omitted. This way, the document fits the mold of any type of receipt. People who happen to be expecting a message are more likely to fall into the trap.
Our advice to users is not to access attachments if the message does not give exact information. It is common protocol for legitimate companies to describe why they are contacting you and describe the document they are sending in detail.
The infection pattern of Locky ransomware
The attachments carrying Locky ransomware use several obfuscation layers. The main file is a .PDF document. When you open it, you will discover that it contains an embedded Word document. This is yet another red flag. There is no reason to pack one file into another.
If you proceed to open the Word document, you will be shown a message, stating that it is protected. You will be asked to enable macros to view its contents. This would be your last chance to avert the infection. Transferring malware via macros is a trivial technique. Yet, it is still successful to this day because people are not sufficiently informed on cyber security matters.
When the macro executes, it transfers the payload of Locky onto the target device. The binary of the virus is downloaded, decrypted and saved to the %Temp% directory under the name redchip2.exe.
The ransomware executable gets launched on command prompt. Locky then proceeds to encrypt all vulnerable files on the hard drive. The process is quick. All encrypted objects have the .OSIRIS file extension appended to their names. The custom suffix indicates which variant of the virus you have contacted, since the developers of Locky change the appendix with almost every build.
Upon completing the encryption, Locky displays a ransom note to inform victims of the occurrence. Here is an excerpt from the statement: “All of your files are encrypted with RSA-2048 and AES-128 ciphers. […] Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server”.
The developers of Locky demand a ransom payment which needs to be made following certain steps. The victim has to download and install the Tor web browser. Using this program, he has to follow a link to the payment website. The cyber criminals require people to pay in Bitcoins.
Locky has proven to be a masterful encryption virus. Malware experts have been unable to crack the code of the program to date. At this point in time, users who contact the infection have two options. They can pay the hackers or store the encrypted files and wait in the hopes that the ransomware will eventually be decrypted.