Connect with us

Hi, what are you looking for?


Malware & Threats

New Locky Variants Change Communication Patterns

Locky, a popular ransomware family that emerged earlier this year, has been displaying changes in its communication patterns in recent weeks, Check Point researchers say.

Locky, a popular ransomware family that emerged earlier this year, has been displaying changes in its communication patterns in recent weeks, Check Point researchers say.

First spotted in mid-February, Locky made it to the top of the ransomware charts only two weeks later, fueled by well-established distribution channels. The malware relies on malicious macros in Office documents to infect victim’s computer, and these documents are distributed attached to spam emails.

In early March, Trustwave observed a massive spam campaign of more than 4 million malicious spam emails generated by the Dridex botnet, and discovered that Locky was the malicious payload in that campaign. Furthermore, researchers found that the botnet changed the distribution mechanism to use JavaScript (.js) attachments for malware distribution.

Now, Check Point researchers reveal that Locky’s communication patterns, which were well-known across the community, changed dramatically roughly two weeks ago. The security firm noticed that a new Locky variant displayed change in communication on March 22, when Content-Type and User-Agent were included right after the POST header in requests to the command and control (C&C) server.

The researchers also noticed that another Locky variant was included as the malicious payload in the Nuclear exploit kit (EK), and that it included additional communication changes. After the downloader dropped by the EK sends a request to the C&C server, the latter responds with the Locky executable, which includes a new method of fetching the encryption keys from the C&C server.

Previously, Locky’s operators switched from scripts to Form objects in macros to hide code when distributing the ransomware via poisoned Office documents, and it appears that they are constantly improving their techniques. Having the malware spread via both spam campaigns and exploit kits increases their chances of successful infections.

In fact, FireEye Labs detected a spike in Locky downloaders two weeks ago, due to concurrent email spam campaigns targeted at users on 50 countries, including the US, Japan, Korea, Taiwan, Brazil, UK, and Mexico. They also noticed that Locky campaigns are not only catching up with Dridex’s spam activities, but surpassing them.

Advertisement. Scroll to continue reading.

The ransomware’s operators also appear to continue favoring JavaScript-based downloaders over the Microsoft Word and Excel macro-based downloaders initially used to distribute Locky. This allows them to use automation to transform or obfuscate the script to generate new variants, thus countering traditional signature-based detection solutions.

Last week, researchers at Bitdefender released a “vaccine” for CTB-Locker, Locky, and TeslaCrypt, which should keep users safe for a while. However, these constant changes in the ransomware’s behavior might turn the proactive protection solution useless soon.

The latest changes in Locky, paired with the significant increase in its downloaders might also suggest that the threat’s spam campaigns are about to intensify, which could push the malware to the very top of ransomware charts. Locky has already managed to infiltrate hospitals and, the same as recent threats such as Petya and PowerWare, it might focus on more organizations moving forward.

Related: How Mid-market Enterprises Can Protect Against Ransomware Attacks

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.