A new variant of ransomware known as Locky (detected by Symantec as Trojan.Cryptolocker.AF) has been spreading quickly since it first appeared on Tuesday (February 16). The attackers behind Locky have pushed the malware aggressively, using massive spam campaigns and compromised websites.
Locky encrypts files on victims’ computers and adds a .locky file extension to them. The ransom demand varies between 0.5 to 1 bitcoin (approximately US$210 to $420).
One of the main routes of infection has been through spam email campaigns, many of which are disguised as invoices. Word documents containing a malicious macro are attached to these emails. Symantec detects these malicious attachments as W97M.Downloader. If this macro is allowed to run, it will install Locky onto the victim’s computer.
Symantec telemetry indicates that Locky was spread by at least five different spam campaigns on February 16. Most of the spam emails seen had a subject line that read “ATTN: Invoice J-[RANDOM NUMBERS]”. Another campaign used “tracking documents” as a subject line.
The spam campaigns spreading Locky are operating on a massive scale. Symantec anti-spam systems blocked more than 5 million emails associated with these campaigns by yesterday, February 17.
Figure 1. Example of spam email used to distribute Locky
Similarities to Dridex?
These spam campaigns have many similarities to campaigns used to spread the Dridex financial Trojan. The sheer size of the campaigns, their disguise as financial documents such as invoices, and the use of malicious macros in attached Word documents are all hallmarks of the Dridex group. This has led to some speculation that the Dridex group may have branched out into ransomware.
The similarities between the two extend beyond the spam campaigns. The malicious Word macros used to install each threat employ similar obfuscation methods and non-standard naming conventions. They also both create a file called “ladybi.exe” on the infected computer. In addition to this, the URLs the payloads are downloaded from use an identical naming structure:
- http://[DOMAIN NAME]/[ RANDOM HEXADECIMAL VALUE]/[RANDOM HEXADECIMAL VALUE].exe
- http://[ DOMAIN NAME]/[ RANDOM HEXADECIMAL VALUE]/[RANDOM HEXADECIMAL VALUE]
However, there is no conclusive evidence at present to suggest the same group is behind both of these attacks. There are also some significant differences between both threats. Downloaded Locky files appear quite different from the recent Dridex variants. Dridex is usually downloaded as an encrypted .jpg file. Locky is not encrypted.
Symantec has also observed Locky being distributed by the Neutrino exploit kit. To date, Dridex has never been distributed in this fashion.
Like many variants of ransomware, Locky uses strong encryption, putting the victim’s files beyond reach if they happen to not be backed up. However, Symantec believes that Locky poses a particular danger, since its attackers appear well-resourced and have managed to distribute the malware widely in a very short span of time. This may increase the chance of infection among consumers and businesses who do not regularly update their security software.
Figure 2. Example of Locky ransom message
Update – March 14, 2016:
Locky’s impact continues to be felt. Symantec telemetry indicates an increase in ransomware activity in recent weeks, with Locky (Trojan.Cryptolocker.AF) and TeslaCrypt (Trojan.Cryptolocker.N) both particularly active during the period. While ransomware infections had been detected at a rate of between 10,000 and 15,000 per week in January and early February 2016, the number began to rise, coinciding with Locky’s appearance on February 16, and detections stood at more than 20,000 in the week leading up to March 8.
Figure 3. Ransomware detections by week in 2016
The attackers behind Locky are continuing to spread the ransomware through major spam campaigns. One of the most recent spam runs observed occurred on Friday (March 11, 2016) and the emails were disguised as coming from an address on the recipient’s network. The subject line of all emails seen was “Scanned Image” while the sender address was in the format of lands[RANDOM NUMBER]@[VICTIM DOMAIN], e.g. “lands371@[VICTIM DOMAIN].com” or “lands4022@[VICTIM DOMAIN].co.uk”.
While spam emails purporting to come from network-connected devices such as scanners and printers are frequently seen, by far the most common tactic is to disguise spam emails as financial statements, particularly invoices. For example, one recent Locky spam campaign to adopt this approach was observed on March 9, 2016. The emails bore the subject line “FW: Invoice 2016-M#[RANDOM SIX DIGIT NUMBER]”, e.g. “FW: Invoice 2016-M#708006”. A wide variety of sender names and addresses were used in the campaign. Most sender addresses were spoofed to make them appear to come from domains registered to real companies.
Locky spam campaigns are sent by an affiliate that is also used by the Dridex group. Consequently, the spam campaigns delivering both threats share many characteristics. To learn more about Dridex spam campaigns, see our whitepaper: Dridex: Tidal waves of spam pushing dangerous financial Trojan
A full protection stack helps to defend against these attacks, including Symantec Email Security.cloud which can block email-borne threats, Symantec Web Security.cloud blocking web-based threats, and Symantec Endpoint Security.
Symantec and Norton products protect against Locky with the following detections:
Intrusion prevention system
Tips on protecting yourself from ransomware
- Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.
- Always keep your security software up to date to protect yourself against any new variants of malware.
- Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
- Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
- Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
If you would like to find out more about the threat posed by ransomware, you can read our whitepaper: The evolution of ransomware