New Locky Variants Change Communication Patterns

Locky, a popular ransomware family that emerged earlier this year, has been displaying changes in its communication patterns in recent weeks, Check Point researchers say.

First spotted in mid-February, Locky made it to the top of the ransomware charts only two weeks later, fueled by well-established distribution channels. The malware relies on malicious macros in Office documents to infect victim’s computer, and these documents are distributed attached to spam emails.

In early March, Trustwave observed a massive spam campaign of more than 4 million malicious spam emails generated by the Dridex botnet, and discovered that Locky was the malicious payload in that campaign. Furthermore, researchers found that the botnet changed the distribution mechanism to use JavaScript (.js) attachments for malware distribution.

Now, Check Point researchers reveal that Locky’s communication patterns, which were well-known across the community, changed dramatically roughly two weeks ago. The security firm noticed that a new Locky variant displayed change in communication on March 22, when Content-Type and User-Agent were included right after the POST header in requests to the command and control (C&C) server.

The researchers also noticed that another Locky variant was included as the malicious payload in the Nuclear exploit kit (EK), and that it included additional communication changes. After the downloader dropped by the EK sends a request to the C&C server, the latter responds with the Locky executable, which includes a new method of fetching the encryption keys from the C&C server.

Previously, Locky’s operators switched from scripts to Form objects in macros to hide code when distributing the ransomware via poisoned Office documents, and it appears that they are constantly improving their techniques. Having the malware spread via both spam campaigns and exploit kits increases their chances of successful infections.

In fact, FireEye Labs detected a spike in Locky downloaders two weeks ago, due to concurrent email spam campaigns targeted at users on 50 countries, including the US, Japan, Korea, Taiwan, Brazil, UK, and Mexico. They also noticed that Locky campaigns are not only catching up with Dridex’s spam activities, but surpassing them.

The ransomware’s operators also appear to continue favoring JavaScript-based downloaders over the Microsoft Word and Excel macro-based downloaders initially used to distribute Locky. This allows them to use automation to transform or obfuscate the script to generate new variants, thus countering traditional signature-based detection solutions.

Last week, researchers at Bitdefender released a “vaccine” for CTB-Locker, Locky, and TeslaCrypt, which should keep users safe for a while. However, these constant changes in the ransomware’s behavior might turn the proactive protection solution useless soon.

The latest changes in Locky, paired with the significant increase in its downloaders might also suggest that the threat’s spam campaigns are about to intensify, which could push the malware to the very top of ransomware charts. Locky has already managed to infiltrate hospitals and, the same as recent threats such as Petya and PowerWare, it might focus on more organizations moving forward.

Related: How Mid-market Enterprises Can Protect Against Ransomware Attacks