Following Lull, New Campaigns Pushing Retooled ‘Pumpkin’ Locky

New and increasingly diverse variants of ransomware are released weekly, but developers behind the Locky strain have managed to keep the malware fresh in the face of changing trends.

Researchers with Cisco’s Talos Security Intelligence and Research Group said this week they observed three separate spam campaigns just on Monday pushing an updated version of the ransomware.

The most robust – more than 13,000 emails were counted – relies on victims opening malicious emails armed with .zip archives. In order to get victims to open them, both the subject line of the email and the name of the attachment is “Receipt XXX-XXX,” researchers say. Once opened, the files unload .HTA, or HTML executable files that go on to download Locky.

According to Warren Mercer and Edmund Brumaghin, researchers with the firm, the obfuscated Javascript used in this particular downloader takes on a somewhat seasonal slant. Almost 40 instances of the word “PUMPKIN” are scattered throughout the downloader’s code, potentially as a nod to Halloween this upcoming weekend.

The second campaign Talos observed uses a similar infection method; emails with the subject line “Complaint letter,” and .zip archives named “saved_letter_XXXXX.zip.” It spotted 3,748 emails in a three-hour window from this campaign, which ultimately depends on users opening the .zip files, which in turn prompts a Javascript file to trigger the Locky download.

The third campaign was the smallest – only 154 emails were spotted – and uses Windows Script File, or WSF file-based malware downloaders to propagate Locky. The emails purported to be bills from a French television company and largely targeted French users.

The fact that Talos saw so few emails with rigged .WSF files seems to go in line with research from Microsoft last week. Researchers with the company’s Malware Protection Center said developers behind Locky have been moving away from the files, potentially because some emails have been blocked, to .LNK files. The .LNK files can better evade detection and contain PowerShell commands that go on to download and run Locky, Microsoft said.

screen-shot-2016-10-25-at-11-31-53-am

Image of Locky encounters via Microsoft

Talos’ findings come following a bit of a lull for the ransomware.

Locky infection rates have been on the decline this month and some believe the regression is tied to the slow death of Nemucod, a Trojan downloader responsible for spreading the ransomware. While the downloader, essentially Javascript code embedded in .WSF file embedded in a .zip file, hasn’t completely disappeared yet, detections around it are down.

Mercer told Threatpost Tuesday that whatever the reason was, the two-week respite was uncharacteristic for the ransomware.

“We have not observed similar behavior with Locky throughout this year, since Locky become active in February 2015 it’s continued to be fairly consistent,” Mercer said, “The two week downturn could be due to retooling, infrastructure changes, perhaps even ownership change, it’s difficult to say without speculating wildly… It is just something that happens from time to time with threat actors, they do like to take some time off occasionally.”

The decline clearly hasn’t changed the ability for Locky’s authors to constantly tweak the ransomware however. All of the campaigns Talos discovered this week were spotted peddling a new version. According to the researchers, this iteration of Locky is using the URL path “/linuxsucks.php” to communicate with its command and control server. The HTML file that contains the ransom note has been renamed too: “_WHAT_is.html.” The attackers even changed the file extension used by the ransomware; now when Locky encypts files, it appends the vulgar “.sh*t” to the end of the files.

“Locky has changed the face of ransomware, make no mistake, from an evolution point of view Locky should be considered the top dog,” Mercer told Threatpost Tuesday, “They move quickly to incorporate new techniques, different methods of delivery, they sway from Exploit Kit to malicious spam email, they move their file suffixes to try and remain active. They have very few downfalls, I’d name some but then they’d change them!”