Malware

A new massive spam campaign is spreading Locky ransomware downloaders

Experts at Trustwave observed a new massive spam campaign that was sending a JavaScript attachment that downloads Locky ransomware.

Ransomware continues to be among most insidious threats in this first part of the year, security researcher have recently observed a spike in the number of Locky ransomware infections.

The experts from Trustwave security firm highlighted the worrying intensification around this threat.

The security researchers observed a new massive spam campaign serving Locky ransomware downloaders in the form of JavaScript attachments.

According to Trustwave, spam campaign aiming to spread malware has represented 18 percent of total spam in the last weeks, while typically this specific kind of spam represents less than 2 percent of total spam.

The experts linked the increment to the diffusion of ransomware JavaScript downloaders, Trustwave also noticed that the malicious spam was concentrated in bursts.

“Our Spam Research Database saw around 4 million malware spams in the last seven days, and the malware category as a whole accounted for 18% of total spam arriving at our spam traps.” states a blog post published by Trustwave. “The graph below shows hourly spam traffic for the malware category for the past 30 days – note the relatively low levels of activity to the left, and huge peaks on the right, representing the ransomware downloader campaigns. As you can see the campaigns are not continuous, but concentrated bursts, with peaks of 200K emails hitting our servers in a single hour.”

The researchers discovered that the Locky ransomware was spread through the same botnet used to spread the Dridex trojan.

“These campaigns are coming from the same botnet responsible for previously spammed documents with malicious macros which downloaded the Dridex trojan. The actors behind the campaigns have merely changed the delivery mechanism (.js attachment) and the end malware (ransomware).” states the report published by Trustwave.

The threat actors simply changed tactic and malware, in the case os Dridex they used email attachment disguised as an invoice, typically documents embedding malicious macro, the recent Locky ransomware campaign relies on JavaScript attachment that downloads the Locky code.

The Locky ransomware uses AES encryption algorithm to encrypt both local files and files on network shares, even if they are unmapped.

When started, Locky creates and assigns a unique 16 hexadecimal number to the infected machine, then he will scan all drives and unmapped network shares for files to encrypt.

The malware uses the AES encryption algorithm and encrypts only file with extensions matching a certain criteria while it skips files containing certain strings in their full pathname and filename (i.e. tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, and Windows).

The Locky ransomware encrypts files renaming the to [unique_id][identifier].locky, the researchers also discovered that the unique ID and other information are embedded at the end of the encrypted file.

The malware will also delete all of the copies of documents in the Shadow Volume, making impossible to restore files.

“Inside the Locky ransom notes are links to a Tor site called the Locky Decrypter Page. This page is located at 6dtxgqam4crv6rr6.onion and contains the amount of bitcoins to send as a payment, how to purchase thebitcoins, and the bitcoin address you should send payment to.  Once a victim sends payment to the assigned bitcoin address, this page will provide a decrypter that can be used to decrypt their files.” BleepingComputer reports in a blog post.

Pierluigi Paganini

(Security Affairs – Locky Ransomware, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

13 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

20 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.