Locky Ransomware Distributed Through Massive “Spray & Prey” Spam Campaign
The unbreakable Locky is on a rampage. For your safety, don’t open this email!
In the past 7 days, we’ve seen a massive surge in malicious campaigns aiming to spread Locky ransomware to as many computers as possible.
Not only are the campaigns more frequent, but they’re also large scale and use infection vectors that are new for this ransomware family: fake Flash Player update sites and SVG images in messages sent through Facebook Messenger.
What’s more, Locky recently changed the extension it uses for encrypted files to .aesir (which refers to a category of Norse gods). While we do love Norse mythology (as you can tell from our name), we completely disapprove of what attackers are doing with these symbols and people’s data.
This latest Locky campaign sent millions of spam emails to random recipients in companies from all over the world.
The subject line tricks Internet users into clicking by using the following subject line (which includes a few variations):
Subject Line: (% Document% |% Photosmart% |% Scan%) from office
The email has an attached archive that includes a .vbs file (Visual Basic Script). When run, the malicious file will fetch Locky from a big batch of compromised websites, including the ones below (sanitized for your safety):
http://cufarulculenjerii [.] ro / 988gd4
http://mospi [.] ru / 988gd4
http://mvp-sp11 [.] ru / 988gd4
http://newday-inc [.] com / 988gd4
http://newlifecamp [.] bravepages [.] com / 988gd4
http://nhadatok [.] com / 988gd4
http://ocioclick [.] es / 988gd4
http://odzs [.] cz / 988gd4
http://olgiatalife [.] IT / 988gd4
http://palsiraj [.] org / 988gd4
http://pannon-retro [.] com / 988gd4
http://rollkons [.] lv / 988gd4
That VBS script retrieves Locky in an obfuscated form, to avoid detection. It does so by applying an XOR with the following value: “M7meLUMMVmEaR2eHds9aMc04MzRpdZmV”.
The payload is then decoded locally and run on the system under the prerogatives of the logged-in user.
The encrypting malware then goes on to connect to a number of hard-coded IP addresses whose purpose is to enroll the affected computer into a botnet:
If none of the hard-coded IP addresses are available, Locky will fall back on its built-in DGA (Domain Generation Algorithm). For a short while, this will mean that the following C&Cs will be used as a failover:
http://ghaapfjehrjuuwex [.] pl / information.cgi
http://wajbybkasd [.] su / information.cgi
http://kerfsbsrsdiqlobox [.] click / information.cgi
http://doakqyc [.] biz / information.cgi
http://qwboftw [.] su / information.cgi
http://ikbjdclqadoai [.] xyz / information.cgi
http://aarmkgw [.] ru / information.cgi
http://wifjrnhmhcnplta [.] click / information.cgi
http://dpmtlqndkq [.] pl / information.cgi
http://jvbbuowmklejsiqsf [.] org / information.cgi
http://gjwfccqk [.] info / information.cgi
http://dhmpxbtaby [.] pl / information.cgi
We always emphasize that protecting against ransomware requires multiple layers, because, in this case, antivirus detection is very low, with only 8/54 providers currently detecting this campaign:
Locky has come a long way from when it first started and it has become one of the most menacing ransomware families on the Internet today.
Although there is a swarm of decryption tools available for other types of encrypting malware, Locky remains unbreakable, constantly changing its code to evade detection and block decryption by cybersecurity specialists.
The best safeguard is having at least 2 backups of your data and really understanding what ransomware can do. Our dedicated guide will give you a better grasp on this threat and a short list of security measured that can really make a difference for your data protection.
*This article features cyber intelligence provided by CSIS Security Group researchers.