Locky ransomware is back, but with a new twist
Locky ransomware reemerged Friday with multiple sets of phishing e-mail messages, cybersecurity vendor PhishMe’s research team has discovered. Similar to narratives used throughout 2016, these messages used simple, easily recognizable, but very effective phishing lures to convince recipients to open an attached file, PhishMe said.
In contrast to the Locky delivery methods used throughout most of 2016, cybercriminals in this new wave are leveraging a technique that has become popular in the distribution of the Dridex botnet malware, PhishMe said, specifically PDF links.
“The technique in play with these phishing attacks attempts to take advantage of the awareness and education surrounding macro-based delivery as it has proliferated over the past few years,” said Brendan Griffin, threat intelligence manager at PhishMe. “As more and more threat actors utilized this technique, it became clear to both defenders and potential victims what these attacks look like and how they work.”
This, in turn, created an increasingly less advantageous environment for cybercriminals using Office macro documents, Griffin said.
“The recent distribution of the Dridex malware using this technique in conjunction with a PDF document broke from the expectations set for potential victims about how this technique looks,” he said. “The threat actors seek to defy the expectations created by the increased awareness about Office macro attacks by altering how they are presented to victims.”
These PDF attachments use a straightforward infection process. After opening a PDF, the recipient is prompted to give permission for the PDF reader to open a second file, PhishMe said. This second file, extracted from within the PDF document, is a Word document with a macro script application used to download a Dridex payload, PhishMe said. This adds another unexpected step to the infection process and thereby breaks from the common technique used to deliver macro documents, the company added.
“Following the 2016 holiday season, Locky distributions seemed to evaporate, leaving only a handful of small distributions throughout the first quarter of 2017,” Griffin said. “During that period, several other ransomware varieties appeared on the phishing landscape and the ever-present Cerber encryption ransomware maintained a significant share of the ransomware market. The lucrative business of ransomware is one that threat actors were unlikely to abandon. Furthermore, a robust tool like the Locky encryption ransomware likely provides a reliable means to turn profits in that market.”