Malware researchers uncovered a new ongoing attack against computer users worldwide containing different Locky ransomware variants. The campaign is being delivered via the Necurs botnet that uses infected email messages.
Locky Ransomware Attacks Still Going Strong
The iterations of the virus are able to encrypt user and system data only on versions of the Microsoft Windows operating older than Vista and XP. It was discovered that the hackers are changing their tactics by preferring newer malware such as the Jaff ransomware. Email spam messages are the main delivery method for spreading the malware. As usual different strategies can be employed:
Template messages that use social engineering tricks can be used to manipulate the victims into infecting themselves with the attached or linked virus files. In most of the cases the spam emails contain legitimate graphic files and use text and links that imitate real letters or notices. The users are extorted to interact with them by either downloading and running an attachment or clicking on a link.
Spreading scripts or infected software installers and documents to predefined targets. The Locky ransomware is downloaded only after the users engage the needed file.
Direct file attachments without any content.
The analyzed Necurs botnet campaign is of the third type where the messages are sent from hacked or hacker-generated email inboxes and domains. They contain the Locky ransomware instances which are delivered to the companies if the targets download the attachments.
The criminals behind the virus distribute randomly-generated PDF files. Once they are upon the victims are shown a prompt that asks them to enable the built-in scripts. The same strategy is used for Microsoft Word files (with the .doc, .docx or another extension). It appears that new campaign seeks to infect the victims with one of the last variants of the Locky ransomware – the LOPTR virus.
The Locky ransomware virus engine seeks to encrypt a wide range of target file type extensions, including: documents, databases, archives, backups, photos, music, videos and etc.
The Locky Ransomware Grand Return
One of the possible reasons for spreading the Locky ransomware is the fact that only strains from the famous malware families seem to impact users on a mass scale. With the exception of the WannaCry ransomware, cyber security companies worldwide seek to mainly repel and defend against the most popular malware families. They use a combination of social engineering tricks and unpatched vulnerabilities, a successful combination that has resulted in thousands US dollars of paid ransom to the hackers.
Like other similar threats the Locky ransomware contains a stealth protection module. It prevents execution and discovery by deleting itself if a controlled environment is detected. This is done in the earliest stages of infection, when the virus is deployed. This is includes known virtual machines, debuggers and virtual machine instances.
Security experts from one of the leading anti-virus vendors detected that the Necurs botnet Locky attack wave started after the failure of the thought success of Jaff. The ransomware was able to spread rapidly to computer networks across the world, however its proposed effectiveness by the hackers was not met. To continue making a large profit they switched back to distributing what worked up to that point – mainly attacks with the Locky and cerber family of viruses.
They are deemed one of the most successful malware families as they encrypt the files with a very strong cipher. One of the weaknesses associated with the Locky ransomware campaign is that the viruses are compatible with older versions of the Microsoft Windows operating system. The virus is able to compromise only machines running XP or Vista and older iterations due to the way the system works. The ransomware does not work with the specific set of instructions found in the Data Execution Prevention (DEP) feature that is built into Windows 7 and later. It is suspected that the creators of the Locky ransomware did not took measures into ensuring that their virus is compatible with the virus. As such this error was compiled into the initial core of the ransomware and thus became part of literally all future versions of it. We suspect that it may be possible for future versions of the virus to impact all versions of the Microsoft Windows family and even support other platforms as well.