CONFERENCE NOW LIVE: Threat Detection & Incident Response (TDIR) Summit - Join the Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Locky Ransomware Returns in New Necurs-driven Campaign

Locky was the dominant ransomware in 2016, but was less active in the first quarter of 2017. Now the threat is back with a new Necurs-driven campaign, which was first spotted on April 21. Necurs is a major botnet with estimates last year of up to 1.7 million captive computers. 

Locky was the dominant ransomware in 2016, but was less active in the first quarter of 2017. Now the threat is back with a new Necurs-driven campaign, which was first spotted on April 21. Necurs is a major botnet with estimates last year of up to 1.7 million captive computers. 

According to SophosLabs’ telemetry, global spam volumes dropped dramatically just before Christmas 2016. At the time, Sophos global malware escalations manager Peter Mackenzie suggested, “The reason for this has not been conclusively proven, but the evidence points to a notorious botnet called Necurs going quiet.”

On March 21, the same Sophos telemetry showed a sudden jump in global spam, with up to five times the background level of spam. Necurs was back. “Interestingly,” suggested Sophos senior security advisor Paul Ducklin, “this time it isn’t malware that’s being blasted out, but an old-school type of scam that we’ve haven’t seen for a while, mainly because it didn’t work very well in the past: pump-and-dump.”

Today, just one month later, Necurs has switched back to delivering the Locky ransomware. According to Talos, Locky is currently being distributed in high volumes. “Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky,” blogged Nick Biasini, an outreach manager with Cisco Talos.

The new Locky campaign is similar to the majority of spam campaigns. A number of different emails are used, in this case largely designed around payments or receipts. An example email given by Talos has the subject ‘Receipt#272’. There is no body to the mail; just an attached PDF with a name associated with the subject name; that is, ‘P272.pdf’.

There seems to be either two concurrent campaigns, or two different methodologies to the same campaign. In one, the email subject remains constant only a couple of times before changing. In the other, the same subject line is used for tens of thousands of messages.

The technique used to deliver the Locky ransomware leverages the same methodology used in a recent Dridex campaign. The email attachment is a PDF; but contains little more than a .DOCM Word document with the same name as the PDF file. The Word document contains the macro that is used to pull down Locky and encrypt the files. In the example given by Talos, it was “an XOR’d Macro that downloaded the Locky sample from what is likely a compromised website.”

“There are a couple of interesting aspects of using this technique one of which is requiring user interaction to get the sample to run, defeating many sandboxing technologies,” writes Biasini. Since the malware is dormant until specifically activated by the user, it won’t fire in the sandbox.

Advertisement. Scroll to continue reading.

This new campaign shows the close relationship between Locky and Necurs. If Necurs isn’t delivering Locky, Locky’s incidence goes down. But it also demonstrates that dormancy in either does not mean the threat has gone away. It is back with a twist.

“For a time,” writes Biasini, “PDF based compromise was down significantly and word macro based compromise up. In this campaign they figured out how to disguise a macro laden word doc in a PDF, compromising victims around the globe.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.