Biggest Spam Flood in Years Distributes Locky Ransomware

Share this…

Spam wave originated from Indian and Vietnamese IPs. Multiple security firms are reporting on a gigantic wave of spam email that delivers malicious JavaScript file attachments, laced with downloaders for the Locky ransomware.

Until now, two different companies reported on this event, ESET and Proofpoint, the latter even going as far as calling it as one of the biggest spam floods in recent years.

The particularity of this campaign resides in the fact that all the malicious emails distribute a ZIP archive which when downloaded and unzipped presents the user with a JavaScript file instead of an EXE. Because of this novel approach, most users double-click the file, and the malicious JavaScript code is executed automatically via the Windows Script Host (WSH) service.

This code generally downloads and then launches into execution malware. For this particular campaign, the criminals’ favorite payload is the Locky ransomware. This ransomware variant appeared at the start of the year and has known ties to the Dridex botnet.

In previous spam distribution campaigns, JS-based malicious email attachments also delivered banking trojans and ransomware variants like TeslaCrypt and CryptoWall.

Spam wave hit Europe the hardest

For this most recent campaign, Proofpoint said it saw an uptick of email spam originating from Indian and Vietnamese IPs. ESET said the wave aimed at European countries, but crooks didn’t deliver Locky directly but used the JS/Danger.ScriptAttachment malware dropper as a second intermediary.

Proofpoint also made a discovery yesterday, revealing Locky started using a weak encryption algorithm (XOR) to mask the malicious JavaScript code, in order to prevent easy detection by AV engines.

On the other hand, the Comodo Threat Research Labs (CTRL) also detected a Locky surge that used the disguise of Amazon shipping notices to spread the ransomware, but in this case, the crooks used Office documents with malicious macros, and not JavaScript.

Email spam detection since the start of 2016