Security Alert: New Locky Ransomware Shows Off through Rampant Distribution
A new, fast-spreading type of encrypting malware is on the loose
After hitting a US hospital, cyber security specialists warn that this new strain of ransomware is being aggressively spread to compromise potential victims around the world. Its name: Locky.
You may be lead to think of the Avengers when reading about this new cryptoware type, but this new threat doesn’t come from Asgard.
Locky made its entrance in the cyber crime scene with a bang, after extorting money from a hospital in Hollywood:
The Hollywood Presbyterian Medical Center’s own nightmare started on 5 February, when staff noticed they could not access the network. It was soon determined hackers had locked up those files and wanted 40 Bitcoins (worth around $17,000) for the decryption key required to unlock the machines.
With their data encrypted and a huge pressure to solve the issue as fast as possible, the hospital’s management decided to pay up, as many ransomware victims do.
The analysis reveals that Locky is closely related to the Dridex gang’s modus operandi, which was email spam campaigns which, at times, even leveraged the good reputation of big brands to achieve a higher infection rate.
Locky ransomware targeting German-speaking victims
Similarly, Locky infections also start with a spam email. Just this morning, cyber security specialists observed a spam run that propagates the new ransomware.
Here are the details of the email:
From: [spoofed / fake return address]
Subject Line: Rechnung 2016-11365
The content is in German and pretends to come from the Mpsmobile Team.
The following infected file comes as an attachment:
The analysis shows that the document is identical to the droppers used in Dridex spam campaigns. This particular document includes macros, which, if activated, will connect the victim’s PC to a malicious web page to download Locky from that location.
This is just one of the various spam campaigns that have been aggressively spreading Locky, but they have all have one thing in common: the series of URLs from which the ransomware downloads and runs its main components. Here is a small list of these malicious websites (sanitized):
http://nautipol [.] es / 2 / 2_6f3f22f0.exe
http://jsteksys [.] com / 4 / 4_b9ffd5c5.exe
http://hazentrumsuedperlach [.] de / 1 / 1_5a0befc0.exe
http://blitz174 [.] ru / system / SMSGate / 7623dh3f.exe
The moment Locky’s main component is run on the machine, the encryption process will automatically begin, affecting all the data files available both locally and on the connected network drives. In the next stage, Locky will connect to a Command & Control server, where it will enroll the affected PC into a botnet.
A small sample of active Locky Command & Control servers are shown below:
http://jbdog [.] IT / main.php
http://kpybuhnosdrm [.] in / main.php
http://luvenxj [.] uk / main.php
http://dkoipg [.] pw / main.php
As all other ransomware families, once the encryption is completed, the victim will be prompted with a blackmail message:
In this particular campaign, cyber criminals established a C & C server with a TOR login functionality (sanitized): https://6dtxgqam4crv6rr6 [.] onion.to/admin.php .
Antivirus detection is low with a rate of only 7/54 on VirusTotal:
Click here for the full infection rates at the time the campaign was analyzed.
Research from Palo Alto Networks shows that the US is the main target, but the campaign presented above is clearly directed to German-speaking countries, so the attackers are definitely expanding their reach.
We observed approximately 446,000 sessions for this threat, over half of which targeted the United States (54%). For comparison, the next most impacted countries, Canada and Australia, only accounted for another nine percent combined.
Our advice on protecting yourself from ransomware such as Locky
Getting infected with ransomware is not a minor inconvenience and will make victims feel that they’re completely lost control over their data. It isn’t cheap either! In fact, Sophos researchers said that:
The prices we’ve seen vary from BTC 0.5 to BTC 1.00 (BTC is short for “bitcoin,” where one bitcoin is currently worth about $400/£280).
So if you want to avoid all the drama, fear, uncertainty and expense that comes with a ransomware infection, you should follow the advice in this guide we put together for you.
As always, the best protection is prevention, and we hope you never have to deal with Locky or other ransomware and their regretful consequences.
* This article features cyber intelligence provided by CSIS Security Group researchers.