A new variant of ransomware known as Locky (detected by Symantec as Trojan.Cryptolocker.AF) has been spreading quickly since it first appeared on Tuesday (February 16). The attackers behind Locky have pushed the malware aggressively, using massive spam campaigns and compromised websites.
Locky encrypts files on victims’ computers and adds a .locky file extension to them. The ransom demand varies between 0.5 to 1 bitcoin (approximately US$210 to $420).
One of the main routes of infection has been through spam email campaigns, many of which are disguised as invoices. Word documents containing a malicious macro are attached to these emails. Symantec detects these malicious attachments as W97M.Downloader. If this macro is allowed run it will install Locky on to the victim’s computer.
Symantec telemetry indicates that Locky was spread by at least five different spam campaigns on February 16. Most of the spam emails seen had a subject line that read “ATTN: Invoice J-[RANDOM NUMBERS]”. Another campaign used “tracking documents” as a subject line.
The spam campaigns spreading Locky are operating on a massive scale. Symantec anti-spam systems blocked more than 5 million emails associated with these campaigns by yesterday, February 17.
Figure 1. Example of spam email used to distribute Locky
Similarities to Dridex?
These spam campaigns have many similarities to campaigns used to spread the Dridex financial Trojan. The sheers size of the campaigns, their disguise as financial documents such as invoices, and the use of malicious macros in attached Word documents are all hallmarks of the Dridex group. This has led to some speculation that the Dridex group may have branched out into ransomware.
The similarities between the two extend beyond the spam campaigns. The malicious Word macros used to install each threat employ similar obfuscation methods and non-standard naming conventions. They also both create a file called “ladybi.exe” on the infected computer. In addition to this, the URLs the payloads are downloaded from use an identical naming structure:
- https://[DOMAIN NAME]/[ RANDOM HEXADECIMAL VALUE]/[RANDOM HEXADECIMAL VALUE].exe
- https://[ DOMAIN NAME]/[ RANDOM HEXADECIMAL VALUE]/[RANDOM HEXADECIMAL VALUE]
However, there is no conclusive evidence at present to suggest the same group is behind both of these attacks. There are also some significant differences between both threats. Downloaded Locky files appear quite different from the recent Dridex variants. Dridex is usually downloaded as an encrypted .jpg file. Locky is not encrypted.
Symantec has also observed Locky being distributed by the Neutrino exploit kit. To date, Dridex has never been distributed in this fashion.
Like many variants of ransomware, Locky uses strong encryption, putting the victim’s files beyond reach if they happen to not be backed up. However, Symantec believes that Locky poses a particular danger, since its attackers appear well-resourced and have managed to distribute the malware widely in a very short space of time. This may increase the chance of infection among consumers and businesses who do not regularly update their security software.
Figure 2. Example of Locky ransom message
A full protection stack helps to defend against these attacks, including Symantec Email Security.cloud which can block email-borne threats, Symantec Web Gateway blocking web-based threats, and Symantec Endpoint Security.
Symantec and Norton products protect against Locky with the following detections:
Intrusion prevention system
- Web Attack: Neutrino Exploit Kit Redirect 2
- Web Attack: Neutrino Exploit Kit SWF Download
- Web Attack: Neutrino Exploit Kit Website 25
- Web Attack: Neutrino Exploit Kit Website 3
- Web Attack: Neutrino Exploit Kit Website 4
- Web Attack: Neutrino Exploit Kit Website 5
Tips on protecting yourself from ransomware
- Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.
- Always keep your security software up to date to protect yourself against any new variants of malware.
- Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
- Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
- Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.