Avira spotted a new strain of the dreaded Locky Ransomware in the wild

Avira firm detected a new strain of the Locky ransomware that is spreading through malicious attachments disguised as legitimate Libre and Office documents.

Researchers at Avira Virus Lab detected a new strain of the Locky ransomware that is spreading through malicious attachments disguised as legitimate documents from productivity applications like Microsoft Word and Libre Office.

The new Lock Ransomware appends the same “.asasin” extension to the file names of encrypted documents as samples analyzed by security firm PhishMe in October.

The malware authors attempt to trick the victims into double-clicking the envelope.

“This new wave is being spread through Office Word documents, not only Microsoft but also other programs such as Libre Office, which look like the following image:”

“By doing so, this sets off a cascade of actions which will end in all valuable files being encrypted and the user getting the following message.” states the analysis published by Avira.

Once the users double-click the image, a series of actions is triggered, ending with the encryption of the files on the infected machine.

The analysis of the image included in the bait Word document revealed a LNK file (Windows shortcut), by pasting the command into a text editor, the researchers discovered it is meant to run a PowerShell script.

“The script is in clear text and can easily be read. Its intent is to download another PowerShell script from a link embedded in the script and then run this script by using the Invoke-Expression function.” continues the analysis.

The second script connects a server controlled by the operators and downloads a Windows executable file, which includes several stages of code obfuscation to confuse analysts and trick people into thinking it’s a clean file.

The new strain of Locky ransomware collects information about the operating system and sends it, encrypted, to the command-and-control server that in turn replies with the encryption key.

The rapid evolution of ransomware in the threat landscape is worrisome, and this case demonstrates it.

Security experts are observing a rapid evolution of the Locky ransomware, recently they have seen it spreading via spam campaigns that rely on the Necurs botnet. A couple of weeks ago, operators behind Locky ransomware campaigns have switched to new attack techniques to evade detection.

One of the new techniques adopted by the crooks is the use of the Dynamic Data Exchange (DDE) protocol designed to allow data transferring between applications.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Locky ransomware, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.