Locky Ransomware Learns New Evasive Tricks

For several weeks security experts have had success slowing Locky ransomware infection rates. That’s been due to aggressive efforts to combat the Trojan downloader Nemucod, used in recent campaigns to distribute Locky. But now researchers say hackers behind Locky are changing tactics, giving the ransomware new legs.

According to the Microsoft Malware Protection Center team, Locky ransomware authors have shifted the type of malicious attachments used in their spam campaigns to evade detection. They have observed Locky authors moving away from the use of .wsf files hiding Nemucod.

“We observed that the Locky ransomware writers, possibly upon seeing that some emails are being proactively blocked, changed the attachment from .wsf files to shortcut files (.LNK extension) that contain PowerShell commands to download and run Locky,” wrote Microsoft in a technical blog post outlining its research.

Microsoft says it has spotted an uptick in spam with a .zip attachment containing the .LNK files. In one example the .LNK file is named “bill” and is likely meant to trick a victim into thinking it is an invoice.

threatpost_locky_microsoft_lnk

When Microsoft analyzed the .LNK sample it found a PowerShell command inside the shortcut file. The .LNK executes the Trojan downloader Ploprolo.A. “When the PowerShell script successfully runs, it downloads and executes Locky in a temporary folder (for example, BJYNZR.exe), completing the infection chain,” according to Microsoft researchers.

Ploprolo.A, according to Microsoft, is a malicious PowerShell script first detected in September. It is typically embedded by hackers in .LNK, .CHM, .BAT, .PDF and .PPTX files.

Locky writers have had a busy summer targeting hospitals with .DOCM attachments in August. In June, Locky received a technical makeover and was part of a significant Necurs botnet spam email campaign. Locky originally gained notoriety in February when the Hollywood Presbyterian Medical Center in Los Angeles paid a $17,000 ransom to decrypt files locked by the ransomware.

Locky has been potent since its initial detection on Feb. 16 – with attempts to infect customers in more than 100 countries. The preferred Locky attack vector has been email messages that contain an attached Word document embedded with a malicious macro. Once the macro is engaged, a script is initiated and Locky is downloaded onto a victim’s PC.

According to a Check Point analysis of Locky, researchers have documented at least 10 different Locky downloader variants. In those cases, each variant has tried to avoid detection by hiding the Locky payload in different file types (.doc, .docm, .xls and also .js) that claim mostly to be invoice attachments. Locky, according to Check Point, is not a particularly unique ransomware. Instead, Locky’s deadly success is attributed to effective spam campaigns.

With this most recent wave of Locky ransomware, Microsoft recommends disabling the loading of macros in Office programs and to use up-to-date, real-time antimalware product.