Locky Ransomware Fuels Surge in .RAR, JavaScript Attachments

Share this…

Why is it critical to stop ransomware at the gateway layer? Because email is the top entry point used by prevalent ransomware families. Based on our analysis, 71% of known ransomware families arrive via email. While there’s nothing new about the use of spam, ransomware distributors continue to employ this infection vector because it’s a tried-and-tested method. It’s also an effective way to reach potential victims like enterprises and small and medium businesses (SMBs) that normally use emails for communication and daily operations. Over the first half of the year, we observed how cybercriminals leveraged file types like JavaScript, VBScript, and Office files with macros to evade traditional security solutions. Some of these file types can be used to code malware. In fact, as a security precaution, Microsoft turns off macros by default.

In this blog post, we examine various email file attachments and how ransomware affected the fluctuation in the use of these file types.

A look at email attachments

Trend Micro has already blocked and detected 80 million ransomware threats during the first half of the year; 58% of which came from email attachments. Throughout this year, we followedLocky’s spam campaign and how its ever changing email file attachments contributed to its prevalence.  Based on our monitoring, the rising number of certain file types in email attachments is due to Locky.

The first two months of the year, we spotted a spike in the use of .DOC files in spam emails. DRIDEX, an online banking threat notable for using macros, was, at one point, reported to be distributing Locky ransomware. From March to April, we saw a spike in the use of .RAR attachments, which is also attributed to Locky.


Figure 1. Businesses are at risk to ransomware attacks as they are heavy users of productivity applications where macros are used.

In June and August, it appears Locky’s operators switched to using JavaScript attachments. However, this type of attachment is also known to download other ransomware families such asCryptoWall 3.0 and TeslaCrypt 4.0. We also noticed Locky employing VBScript attachments, likely because this can be easily obfuscated to evade scanners. Around mid-July to August, we started seeing Locky’s spam campaign using Windows Scripting file (WSF) attachments—which could explain how WSF became the second file type attachment most used by threats.

With WSF, two different scripting languages can be combined. The tactic makes it difficult to detect since it’s not a file type that endpoint solutions normally monitor and flag as malicious.Cerber was also spotted using this tactic in May 2016.


Figure 2. The rise in JS spam attachments from June to August is attributed to Locky. 

The latest strains of Locky were seen using DLLs and .HTA file attachments for distribution purposes. We surmise that malware authors abuse the .HTA file extension as it can bypass filters, given that it is not commonly known to be abused by cybercriminals.



Figures 3-4. Sample email message with .HTA attachment

Due to the continuous changes in the use of various file attachments, we suspect that the perpetrators behind Locky will use other executable files such as .COM, .BIN, and .CPL to distribute this threat.

To block spam emails with JS, VBScript, WSF and HTA attachments, companies should use email solutions with different anti-spam filters such as heuristics and fingerprint technology.  In addition, solutions with blacklisting mechanism can block known malicious sender IPs.

To detect macro downloaders by Locky and Cerber, email solutions should have macro scanning feature that can detect any malicious macro components of threats.

Typical email subjects

Prevalent ransomware like Locky and Cerber did not deviate from using common subject lines for social engineering. Enterprises and small-medium businesses should watch out for subject lines including those that involve invoices, parcel delivery, confirmation of order, banking notifications, and payment receipts. Knowing these email subjects can actually aid employees in spotting emails with ransomware.

Here are other samples of subjects used:

  • Documents requested
  • Audit Report
  • Budget Reports
  • Emailing: (Label | Picture | Image)
  • Message from “{RandomChar}”
  • We could not deliver your parcel, #{RandomChars}, Problems with item delivery, n(RandomChars), Unable to deliver your item, #{RandomChars}
  • Payment receipt
  • Order Confirmation {RandomChars}
  • Bill, Paid Bills


Figure 5. Sample of a spammed email message


One critical aspect of a ransomware attack is its delivery mechanism. Once ransomware-laced emails enter the network and execute on the system, they can encrypt important files.  Gateway solutions should be in place to prevent ransomware from entering the network.

Because of the very nature of these threats, companies need a multilayered solution that can cover all their bases from exposure layer, endpoints, network, and servers.  It is also highly recommended that companies do backups to avoid succumbing into paying the ransom.  Earlier this year, we conducted a Security Preparedness survey where we asked decision makers, buyers, and end-users from small-medium to large enterprises if they do backups. Our survey revealed that 33% of the respondents either did not strictly implement their backup policy or were unaware if they had one.

Here’s an overview of Trend Micro products that can address ransomware from the gateway level and endpoints, to network and servers.