Application security, Malware, Ransomware

Locky ransomware pushers keeping things fresh using many new attachments

The threat actors behind Locky have kept the ransomware one step ahead of their victims' defenses this year by steadily altering the types of attachments included in the spam campaigns used to spread the malware.

A report from Trend Micro shows that while the basic delivery mechanism has remained the same, using spam emails and infected attachments, the attackers have rotated through several types of attachments. The year started with Locky being spread through .doc attachments in January and February, but then in March and April documents with a .rar, file type were used and for the summer months JavaScript attachments were used.

The reason for constantly mixing things up is straightforward, according to Christopher Budd, Trend Micro's global threat communications manager.

“The cat-and-mouse game between attackers and defenders doesn't have clear-cut lines when defenders render attackers' tactics ineffective and attackers switch. Good attackers regularly change up their tactics over time to keep defenders off-balance and make defense harder,” Budd told in an email interview.

Locky has been one of the more upgraded malware types, which is one of the reasons it has been so successful. Overall ransomware numbers are staggering. Trend Micro said it has detected and blocked 80 million ransomware attacks, of all types, during the first half of the year.

While groups pushing other forms of malware also make changes on the fly, Budd said the Locky crew is particularly aggressive and is always looking for a new angle of attack.

However, all the alterations could go for naught if the target has its defenses up.

“For defenders that are in tune with the current threat environment and fully utilize the capabilities of adaptive protection technologies, this doesn't really complicate things: it's part of business as usual. Switching tactics makes “set and forget” defense tactics ineffective. But the threat environment we face has already made that approach a dangerous one,” he said.

However, Locky's operators were also ready for this and added in a few other methods. This included bringing on JavaScript attachments in the summer and Trend Micro also saw VBScript attachments being deployed along with .wsf or Windows Scripting files. The latter can prove particularly dangerous.

“Attachments using WSF file types have a greater degree of attack flexibility because they enable attackers to use more than one scripting language, which can in turn make defense more challenging,” Budd said.

Trend Micro researchers have every reason to believe Locky's handlers will keep switching things up.

“We suspect that the perpetrators behind Locky will use other executable files such as .COM, .BIN, and .CPL to distribute this threat,” the report stated.

Oddly, the bad guys seemingly focused all their attention on the attachment and left the social engineering part of the attack somewhat static. In order to appeal to businesses Trend Micro found the emails were topped with simple, common subject lines having to do with everyday corporate practices, such as, audit report, budget reports and payment receipt.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.