Locky Returns via Spam and Dropbox-Themed Phishing Attacks

Gigacycle > Information & Guidance  > Locky Returns via Spam and Dropbox-Themed Phishing Attacks

Locky Returns via Spam and Dropbox-Themed Phishing Attacks


Massive Ransomware Campaign Flings 23 Million Emails in Just 24 Hours

Locky Returns via Spam and Dropbox-Themed Phishing Attacks
A new Locky campaign infects victims via ransomware-laced spam messages as well as via fake Dropbox phishing pages. (Source: Peter Kruse)

A new attack campaign has been flinging phishing messages as well as ransomware-laced spam emails at potential victims in massive quantities.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The attack campaign involves crypto-locking Locky ransomware.

“Beware. Don’t fall for this. Locky is horrid,” says Alan Woodward, a computer science professor at the University of Surrey.

The campaign began Monday, according to cloud-based cybersecurity provider AppRiver, which counted more than 23 million related spam emails having been sent in less than 24 hours. That makes it “one of the largest malware campaigns that we have seen in the latter half of 2017,” says Troy Gill, manager of security research for AppRiver, in a blog post.

Finnish security firm F-Secure says that the majority of the spam messages that its systems are currently blocking relate to Locky. It notes that some spam contains links to infected sites, while other messages carry malicious attachments.

If a system becomes infected with this strain of Locky, crypto-locked files will have the extension “.lukitus” added, which is a Finnish word variously translated by native speakers as “locking” or “locked,” according to F-Secure.

The Lukitus variant of Locky was first spotted last month. Rommel Joven, a malware researcher with security firm Fortinet, warned that it was being distributed via email attachments as part of a massive spam campaign being run by the one of the world’s biggest botnets, Necurs, which has historically been the principle outlet for Locky attacks (see Locky Ransomware Returns With Two New Variants).

Spam Can Carry Locky Attachments

AppRiver says emails related to the new Locky campaign have featured a variety of subject lines, including these words: documents, images, photo, pictures, please print, scans.

“Each message comes with a zip attachment that contains a Visual Basic Script (VBS) file that is nested inside a secondary zip file,” Gill says. “Once clicked, [the] VBS file initiates a downloader that reaches out to greatesthits[dot]mygoldmusic[dotcom] to pull down the latest Locky ransomware. Locky goes to work encrypting all the files on the target system and appending [.]lukitus to the users now-encrypted files.”

The ransomware then drops a ransom note on the victim’s desktop. “The victim is instructed to install the Tor browser and is provided an .onion (aka Darkweb) site to process payment of 0.5 bitcoins” – currently worth $2,400 – Gill says. “Once the ransom payment is made the attackers promise a redirect to the decryption service.”

Locky decryption service, located on a darknet (.onion) site. (Source: AppRiver)

As of Friday, meanwhile, Xavier Mertens, a freelance security consultant based in Belgium, says he’s seeing a new wave of malicious spam that uses emails that pretend to carry voice messages.

Dropbox-Themed Phishing Variation

Not all of the Locky spam emails arrive with malicious attachments; some are designed as phishing attacks that redirect users to real-looking but malicious sites.

Peter Kruse, an e-crime specialist at CSIS Security Group in Denmark, says some emails related to this ransomware campaign are skinned to look like they’ve come from Dropbox. Some will attempt to trick recipients into clicking on a “verify your email” link.

If victims click on the link, they’re redirected to one of a number of websites. Often, these are legitimate sites or hosting accounts that have been accessed by attackers who add a malicious “dropbox.html” file to the home directory.

List of domains to which some current Locky phishing emails have been linking. Note: Visiting these domains may result in a Locky ransomware infection. (Source: Pastebin)

The dropbox.html file that loads is designed to look like the legitimate Dropbox site.

Clicking on a link can result in a zipped attack file being downloaded, per the VBS attack detailed above, according to JamesWT, who’s a member of the anti-malware research group called Malware Hunter Team.

Alternately, clicking on the link may result in the site attempting to execute a malicious JavaScript file that functions as a dropper, meaning it then attempts to download a payload file, which is Locky.

It’s not clear how many people may have fallen victim to the new Locky campaign or have paid the demanded ransom. The bitcoin address shown in one related ransom message, for example, has received no payments.

View of a desktop infected by Locky, after it has crypto-locked files. (Source: @JAMESWT_MHT)

Locky: No Free Decoder

Security researchers have sometimes been able to create free decryptors for victims whose files have been crypto-locked – and the originals deleted – by ransomware (see Two New Ransomware Decryptors Give Victims a Free Out).

Such decryptors may exploit errors ransomware developers made when attempting to implement their encryption scheme. Or sometimes, the encryption keys used by attackers can fall into security researchers’ hands, for example, if police bust a cybercrime gang, if a rival gang hacks and doxes their competition, or if attackers simply show some belated remorse.

Unfortunately, “there currently are no publicly shared methods to reverse this Locky strain,” AppRiver’s Gill says.

To defend against ransomware attacks, and avoid ever having to consider paying a ransom, security experts recommend using anti-malware software and keeping the software, as well as signatures, as current as possible. Also keep current backups of all systems, and store those backups offline, because many types of crypto-locking can encrypt files not just on hard drives, but also reachable via the network or cloud services.

Go to Source

No Comments

Sorry, the comment form is closed at this time.