Connect with us

Hi, what are you looking for?


Malware & Threats

Locky Ransomware Sheds Downloaders in Favor of JavaScript

Locky, one of the top ransomware families currently haunting users around the world, has upgraded its distribution mechanism, and is now spread embedded in JavaScript files attached to spam emails.

Locky, one of the top ransomware families currently haunting users around the world, has upgraded its distribution mechanism, and is now spread embedded in JavaScript files attached to spam emails.

The ransomware has been using JavaScript attachments for distribution purposes for several months now, but these malicious files were dropping downloaders onto the compromised systems, and not the Locky binary itself. That changed last week, when a new wave of malicious emails began dropping Locky directly.

According to CYREN researchers, the spam emails in this campaign were using subject line “Invoice,” which is pretty standard for malware distribution runs. Furthermore, researchers observed that the same filename format for the attachments used in previous Locky attacks was employed in the new campaign too.

What changed was the size of the attached .ZIP file, which was larger by more than 250KB when compared to previous Locky-associated malicious attachments. The same as before, however, the .ZIP archive contains a JavaScript file that uses the same obfuscation found in the previous Locky downloader script variants.

Loading the JavaScript into an editor “also shows the use of numerous variables containing chunks of strings, which are concatenated at runtime to build needed strings like ActiveXObject names and methods. Even the binary decryption routine is still included in this variant,” CYREN researchers say.

Unlike previous variants, a set of large arrays concatenated together was observed. This large array variable is where the encrypted Locky ransomware binary is stored. Before being executed, the binary is decrypted and saved to disk.

Other malware authors have been embedding their malicious programs into scripts for a long time, so it doesn’t come too much as a surprise that Locky has adopted this technique as well. Previously, however, the ransomware was observed preferring malicious macros in Office documents distributed via large spam runs powered by the Necurs botnet. It also started using JavaScript a while ago, but only to embed the downloader, and was being distributed via Nuclear exploit kit.

Advertisement. Scroll to continue reading.

The decryption of the binary is signaled by a significant surge in CPU usage coming from wscript.exe. After decryption, the executable is saved in the Temp directory with a filename hardcoded in the JavaScript, albeit seemingly random. The ransomware is then executed with an argument of “321”.

This Locky variant appends the .zepto file extension to the encrypted files and it was previously considered a separate ransomware version. According to CYREN researches, the malware authors made only few changes in the ransomware’s code to ensure the use of a new file extension.

As soon as the encryption process has been completed, Locky replaces the desktop background wallpaper with the ransom note and opens the ransom instructions page that it previously dropped on the user’s desktop. The Tor links provided to the victim direct them to the Locky Decryptor page.

“As always, we highly advise end users to avoid opening executable attachments from untrusted sources, and to deploy web gateway security capable of detecting (and stopping) such attacks. Businesses can ultimately contribute to reducing the economic payoff calculation for the cybercriminals and, at the same time, defend their organization,” researchers say.

Related: Locky Ransomware Gets Offline Encryption Capabilities

Related: Decryption Tools Released for Bart, PowerWare Ransomware

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...