CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Malware & Threats

Locky Ransomware Fuels Surge in .RAR, JavaScript Attachments

Locky malware, currently one of the most active ransomware threats, has influenced a transition to new types of attachments used in malicious emails, Trend Micro researchers warn.

Locky malware, currently one of the most active ransomware threats, has influenced a transition to new types of attachments used in malicious emails, Trend Micro researchers warn.

Ransomware often distributed via spam emails, especially now that the notorious Angler Exploit Kit (EK) is gone, and Locky appears responsible for a surge of certain delivery methods, researchers say. According to Trend Micro, 71% of known ransomware families arrive via email.

During the first half of the year, 58% of ransomware threats came from email attachments, the security company notes. File types used by attackers to deliver their malicious payloads include JavaScript, VBScript, and Office files with macros, all coded in ways meant to evade detection from traditional security solutions.

Email is a tried-and-tested method for malware delivery and is particularly effective when targeting enterprises and small and medium businesses (SMBs). Locky’s operators have been using this delivery method from the beginning, but they switched between various types of email attachments to ensure increased efficiency for their attacks.

Trend Micro security researchers explain that, on the one hand, this continuous switch between email attachments contributed to Locky’s prevalence, while on the other the increase in the use of certain file types in email attachments was influenced by this ransomware family alone.

“The first two months of the year, we spotted a spike in the use of .DOC files in spam emails. DRIDEX, an online banking threat notable for using macros, was, at one point, reported to be distributing Locky ransomware. From March to April, we saw a spike in the use of .RAR attachments, which is also attributed to Locky,” researchers say.

Locky switched to JavaScript attachments in June and August, but researchers note that ransomware families such as CryptoWall 3.0 and TeslaCrypt 4.0 are using this technique as well. Locky was also seen using VBScript attachments, and it switched to Windows Scripting file (WSF) attachments around mid-July to August. Also in August, FireEye Labs researchers observed Locky reverting to malicious macros in Office docs attached to spam emails.

Most recently, Locky was seen using DLLs and .HTA file attachments for distribution, and researchers forecast that attackers will also adopt executable files such as .COM, .BIN, and .CPL for malware distribution purposes. Because many of these file types aren’t normally used to deliver malware, cybercriminals can more easily avoid detection.

Advertisement. Scroll to continue reading.

“To block spam emails with JS, VBScript, WSF and HTA attachments, companies should use email solutions with different anti-spam filters such as heuristics and fingerprint technology.  In addition, solutions with blacklisting mechanism can block known malicious sender IPs. To detect macro downloaders by Locky and Cerber, email solutions should have macro scanning feature that can detect any malicious macro components of threats,” Trend Micro researchers say.

The spam emails used to deliver ransomware usually contain common subject lines and employ social engineering to determine victims to execute the malicious files. Emails with subject lines that involve invoices, parcel delivery, confirmation of order, banking notifications, and payment receipts should be considered suspicious, the security researchers say.

Related: CryptXXX Now Being Distributed via Spam Emails


Related: Spam Campa
ign Distributing Locky Variant Zepto Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.