Locky ransomware pushers keeping things fresh using many new attachments
Trend Micro Locky chart
The threat actors behind Locky have kept the ransomware one step ahead of their victims' defenses this year by steadily altering the types of attachments included in the spam campaigns used to spread the malware.
The reason for constantly mixing things up is straightforward, according to Christopher Budd, Trend Micro's global threat communications manager.
“The cat-and-mouse game between attackers and defenders doesn't have clear-cut lines when defenders render attackers' tactics ineffective and attackers switch. Good attackers regularly change up their tactics over time to keep defenders off-balance and make defense harder,” Budd told SCMagazine.com in an email interview.
Locky has been one of the more upgraded malware types, which is one of the reasons it has been so successful. Overall ransomware numbers are staggering. Trend Micro said it has detected and blocked 80 million ransomware attacks, of all types, during the first half of the year.
While groups pushing other forms of malware also make changes on the fly, Budd said the Locky crew is particularly aggressive and is always looking for a new angle of attack.
However, all the alterations could go for naught if the target has its defenses up.
“For defenders that are in tune with the current threat environment and fully utilize the capabilities of adaptive protection technologies, this doesn't really complicate things: it's part of business as usual. Switching tactics makes “set and forget” defense tactics ineffective. But the threat environment we face has already made that approach a dangerous one,” he said.
“Attachments using WSF file types have a greater degree of attack flexibility because they enable attackers to use more than one scripting language, which can in turn make defense more challenging,” Budd said.
Trend Micro researchers have every reason to believe Locky's handlers will keep switching things up.
“We suspect that the perpetrators behind Locky will use other executable files such as .COM, .BIN, and .CPL to distribute this threat,” the report stated.
Oddly, the bad guys seemingly focused all their attention on the attachment and left the social engineering part of the attack somewhat static. In order to appeal to businesses Trend Micro found the emails were topped with simple, common subject lines having to do with everyday corporate practices, such as, audit report, budget reports and payment receipt.