Locky Infections Decrease as the Ransomware Switches Tactics

Ransomware infection statistics show that the number of Locky ransomware infections have decreased as the virus changes its infiltration tactics.

Locky Is Going Through Changes

The infamous Locky ransomware has shown a remarkable decrease in infections according to the latest victim statistics. This is actually the biggest and most popular family of ransomware and these results are attributed to the changing tactics of the malicious code.

One of the main distribution methods of the ransomware variants that are descendants of Locky have been via the three main distribution methods – macro-infected document files, exploit kits (targeting security vulnerabilities and bad configurations in applications) and malicious attachments.

We Reported that the ransomware has also used the aid of the Necurs botnet to send spam emails by using popular social engineering tricks. Some of the example subjects include the following titles:

  • Your Debit Card is temporarily blocked
  • Bill for documents
  • Clients Accounts
  • Document No [Insert Random Number]

These messages carry the Locky ransomware as attachments or malicious links, for more information read our report. So far one of the most popular ways to distribute the infection is through ZIP archives. However a new trend in the Locky development has emerged.

We reported another Locky transformation that used DLL files instead of EXE binaries. This allows for improved stealth protection from anti-virus software. Locky uses a custom packer, which hides its signature and makes it harder to detect.

And now another change is taking place. The most recent trend in Locky distribution is the usage of LNK files.

The developers of the malware code have changed the files to malicious payload downloaders which use PowerShell commands to download and run the Locky ransomware.

This is probably tied to some of the recent overall development of ransomware in general. Using a several stage delivery method allows for a more consistent and effective infection. Not all anti-virus software can scan the more sophisticated PowerShell commands. In addition if the Locky binaries are delivered in a password-protected archive and then decrypted with a script, there is practically no way of discovery as the security software do not contain brute force capabilities.

New Locky Challenges

The latest trend in the underground hacker community is to use the LNK file format. This is actually an old trick that has been re-purposed for some recent Locky infections.

The way it works is that the malware links to an application that is installed on every computer, the most common case is the PowerShell binary. The Locky operators create a shortcut to the local utility installation and pass on preset parameters and commands that lead to Locky infections.

This is actually used actively in the spread of one of the most famous variants of the ransomware family – Odin, click here to read more.

Its interesting to note how one of the oldest ransomware families continues to grow in popularity and spawn multiple variants that attack all kinds of targets – from individual institutions to government agencies and medical institutions.

Fortunately the security community has resorted to aid victims by creating the specialist LockyDump tool. Let’s just hope that it will help in this war against malware attacks.

We will report on anything that is relevant to Locky as the war on viruses continues on.

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *