"This overlapping infrastructure is a curious link," said PhishMe researchers.
"This overlapping infrastructure is a curious link," said PhishMe researchers.

The ransomware marketplace is far from dissipating. New variants have already appeared in 2017 and researchers have detected that one new iteration, Sage, shares infrastructure with another already notorious malware, Locky, according to a PhishMe blog post.

In digging into samples of Sage, the PhishMe researchers found that while the coders behind the ransomware at first targeted victims using a sexually explicit subject line in their phishing attempts, they soon moved on to a more mainstream campaign attempting to persuade email recipients to click on a malicious .zip file attachment with business-related subject lines claiming a financial transaction was rejected.

In both campaigns, the email messages and the metadata used, as well as the payment gateway's Tor site, was the same as that seen in earlier Locky campaigns. This is evidence, they said, that contrary to claims that Locky has disappeared from the threat landscape it is, in fact, still being used by some attackers – although it is employing different strategies.

"This overlapping infrastructure is a curious link between these two ransomware varieties and serves as a reminder of how malware support and distribution infrastructure is frequently reused," the report stated.

The campaign illustrates that the miscreants behind this ransomware distribution are keeping current in using the newer Sage malware, but at the same time are also relying on the proven Locky strain, evidence of the robust market for these packages, the researchers said.

However, while the kits continue to evolve, using strategies like these make it simpler for security professionals to thwart the attacks as the shared infrastructure enables more efficient detection and blocking of ransomware delivery, the researchers concluded.