New Way to Deliver Ransomware

Wednesday, August 17, 2016 @ 12:08 PM gHale


A new Locky ransomware variant targets organizations using Windows script files (WSF), researchers said.

Attackers started using WSF files last May to deliver the Cerber crypto-ransomware. Since the method can be highly efficient for evading detection, attackers started using it to spread Locky.

RELATED STORIES
Ransomware Jumps on PHP Form Issue
Updated Ransomware Releases
Locky Top Malware Threat for Q2
Cops, Researchers Fight Ransomware

WSF files, text documents that contain XML code, act as a container. Since they are not engine-specific, each file can contain more than one scripting language, said researchers at Trend Micro.

Researchers said using WSF files makes it difficult to detect the threat as these types of files are not typically monitored by traditional endpoint security solutions.

“Such a technique allows this threat to bypass security measures, including sandbox analysis, since it has no static file type. In addition, using blended scripting languages could result to the samples being encoded, making these arduous to analyze,” Trend Micro researchers said in a blog post.

“Similar with using VBScript and JavaScript, WSF makes it possible for attackers to download any malware payload. In the case of Locky, the actual ransomware downloaded by these WSF files have different hashes. When downloaded files have different hashes, detecting them via blacklisting becomes difficult,” they added.

In the attacks observed by Trend Micro last month, bad guys focused on targeting companies. The WSF files that deliver Locky are compressed in ZIP archives and attached to emails with subject lines such as “annual report,” “bank account record” or “company database.”

Millions of these spam emails have been sent out, with the highest volumes recorded on weekdays between 9 AM and 11 AM UTC, the timeframe when most European employees begin their workday.

The spam emails came from machines in Serbia, Colombia and Vietnam, and later from Thailand and Brazil.

Once it infects a computer, Locky checks the registry to determine the language set on the system and displays the ransom note in that language.