Switch in Ransomware Distribution

Friday, August 19, 2016 @ 03:08 PM gHale


Locky ransomware continues its growth cycle with a switch in its distribution mode at the start of June, eliminating JS-based droppers for malicious Microsoft Office documents with the DOCM file extension.

This is on top of the revelation a new Locky ransomware variant targets organizations using Windows script files (WSF), researchers said. Attackers started using it to spread Locky.

RELATED STORIES
New Way to Deliver Ransomware
Ransomware Jumps on PHP Form Issue
Updated Ransomware Releases
Locky Top Malware Threat for Q2

Since it appeared, if there was one common feature in all the Locky spam, it was the fact Locky used a JavaScript file packed inside a ZIP file the attackers used to send to potential victims via spam emails.

Starting with August 2016, the group uses macro scripts embedded in Office DOCM files, said researchers at FireEye.

When the user opens these documents and allows the macro script to execute by “enabling editing,” the script connects to an online server, downloads and installs the ransomware.

FireEye said this new wave of Locky spam hit victims across the globe.

According to statistical data gathered in the first half of August, users in the U.S., Japan, Republic of Korea, Thailand, and Singapore received the most spam.

Based on the email addresses at the receiving end of all this spam, researchers said the healthcare sector was the most targeted, along with manufacturing, telecom, transportation, and general services.

It’s been known for a while that the group distributing the Locky ransomware uses the same C&C infrastructure utilized by the Dridex gang that distributes the banking Trojan.

These recent Locky spam campaigns come in different waves, each one using a different payload, but FireEye detected a common pattern among all, which shows the professionalism of the people behind this operation.