Locky Ransomware Now Delivered Using Exploit Kits

Locky Ransomware first emerged in February this year, yet it has already become one of the biggest ransomware threats. The cryptoransomware has now been used in attacks in over 100 countries around the world and security experts appear no closer to cracking it. New variants are being developed frequently and at least 10 forms of the ransomware have been detected to date.

Locky is distributed via spam email messages containing infected attachments. The main method of infection is via Word macros, although the payload has been hidden in a variety of file types including excel spreadsheets and JavaScript files.

The ransomware is not particularly special, but it is proving to be highly effective. This has been attributed to the quality of the emails used to deliver the payload and the scale of the spam campaigns spreading Locky. The percentage of malicious spam emails – compared to standard spam offering cheap watches and Viagra – is typically around 2% of the total spam email volume. However, according to TrustWave, the volume of spam emails that are being used to deliver Locky now stands at 18%.

These campaigns are highly effective at delivering the ransomware to unsuspecting users, so perhaps the developers have not seen the need to move into exploit kits to deliver Locky. That is until now. CheckPoint researchers have detected Locky infections that have occurred via exploit kits, specifically the Nuclear exploit kit.

Some of the most effective ransomware campaigns use exploit kits to deliver the payload. CryptoWall, one of the most successful ransomware variants, is spread by a mixture of exploit kits and spam email. It would appear that the developers of Locky are following suit.

The developers also appear to have made changes to how Locky communicates with its C&C server. The downloader used to deliver Locky has also changed. New variants, different communication mechanisms, and changes in downloaders mean the author is managing to keep one step ahead of security researchers. Locky looks like it’s here for the long haul and could well become the new TeslaCrypt or CryptoWall.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news