Locky Ransomware Returns in New Necurs-driven Campaign

Locky was the dominant ransomware in 2016, but was less active in the first quarter of 2017. Now the threat is back with a new Necurs-driven campaign, which was first spotted on April 21. Necurs is a major botnet with estimates last year of up to 1.7 million captive computers. 

According to SophosLabs’ telemetry, global spam volumes dropped dramatically just before Christmas 2016. At the time, Sophos global malware escalations manager Peter Mackenzie suggested, “The reason for this has not been conclusively proven, but the evidence points to a notorious botnet called Necurs going quiet.”

On March 21, the same Sophos telemetry showed a sudden jump in global spam, with up to five times the background level of spam. Necurs was back. “Interestingly,” suggested Sophos senior security advisor Paul Ducklin, “this time it isn’t malware that’s being blasted out, but an old-school type of scam that we’ve haven’t seen for a while, mainly because it didn’t work very well in the past: pump-and-dump.”

Today, just one month later, Necurs has switched back to delivering the Locky ransomware. According to Talos, Locky is currently being distributed in high volumes. “Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky,” blogged Nick Biasini, an outreach manager with Cisco Talos.

The new Locky campaign is similar to the majority of spam campaigns. A number of different emails are used, in this case largely designed around payments or receipts. An example email given by Talos has the subject ‘Receipt#272’. There is no body to the mail; just an attached PDF with a name associated with the subject name; that is, ‘P272.pdf’.

There seems to be either two concurrent campaigns, or two different methodologies to the same campaign. In one, the email subject remains constant only a couple of times before changing. In the other, the same subject line is used for tens of thousands of messages.

The technique used to deliver the Locky ransomware leverages the same methodology used in a recent Dridex campaign. The email attachment is a PDF; but contains little more than a .DOCM Word document with the same name as the PDF file. The Word document contains the macro that is used to pull down Locky and encrypt the files. In the example given by Talos, it was “an XOR’d Macro that downloaded the Locky sample from what is likely a compromised website.”

“There are a couple of interesting aspects of using this technique one of which is requiring user interaction to get the sample to run, defeating many sandboxing technologies,” writes Biasini. Since the malware is dormant until specifically activated by the user, it won’t fire in the sandbox.

This new campaign shows the close relationship between Locky and Necurs. If Necurs isn’t delivering Locky, Locky’s incidence goes down. But it also demonstrates that dormancy in either does not mean the threat has gone away. It is back with a twist.

“For a time,” writes Biasini, “PDF based compromise was down significantly and word macro based compromise up. In this campaign they figured out how to disguise a macro laden word doc in a PDF, compromising victims around the globe.”