Don't call it a comeback: Locky ransomware ups attack methods

There is still no way to decrypt the virus, first discovered in March. It's now spreading via Facebook messenger.
By Jessica Davis
12:18 PM
Share

In February, Locky was found in the wild, wreaking havoc on networks. And despite the drop in the frequency of ransomware attacks in recent months and increase of decryption tools for strains like Crysis, Locky is upping the ante on its attack method.

The latest ransomware downloader uses the AESIR-file extension. It masks the virus as an email from valid companies and a subject line designed to encourage the reader to both read the email and open the zip attachment, according to Derek Knight of UK-company My Online Security.

More specifically, Locky hackers disguise the virus as a complaint from an internet service provider that SPAM is coming from the user's computer.

Another recent attack vector for Locky is Facebook Messenger. A new report from CSO shows how the malware is able to evade whitelisting on Facebook by mimicking an image. It can be spread via a downloader via Nemucod, according to the site, which is delivered via Facebook Messenger as an .svg file.

There is still no way to decrypt Locky ransomware. And the only way to recover files is through a viable backup.

The key to a successful, flawless ransomware campaign is constantly evolving the program and delivery methods – it makes them incredibly secure, according to Fabian Wosar, chief technology officer for Emsisoft, an anti-malware vendor.

[Also: Massive Locky ransomware attacks hit U.S. hospitals]

Locky and Cryptoware strains are seemingly impossible to decrypt, he added. Locky gets all of the small factors right, such as the encryption algorithm and cryptographic keys.

"It's surprisingly hard to generate random keys: There's no randomness with computers," Wosar said. "Key space is very common mistake in ransomware these days because they don't understand how random key generating works."

Initially, Locky was distributed via email campaigns that hid the virus in Microsoft Word invoices and preyed on human error.

In August, Locky reared its head again with a massive campaign that ran rampant on the healthcare industry. The virus adjusted its delivery method with DOCM files, which are macro-enabled files used in Microsoft Word.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com


Like Healthcare IT News on Facebook and LinkedIn