Locky returns from the dead with new features and an old botnet

News by Max Metzger

News of the death of Locky ransomware has been grossly exaggerated as researchers note its return to the streets, wrapped in a new package.

Locky may well be making a comeback, according to new reports. Despite news of its fading away since the beginning of 2017, two reports have noted its return.

Researchers from Cisco Talos spotted  the massive Necurs botnet distributing Locky by the tens of thousands on 21 April. Meanwhile, PhishMe credited its lively resurrection with the addition of new features once associated with Dridex banking Trojans.

Locky now lures its victims into opening a PDF file as opposed to a Word document. Cyber-security training and countermeasures often teaches people to look for suspicious Word or Excel documents, a traditional vector for Locky. The slight change, the reasoning goes, bypasses these mental alarms and leaves victims all the more susceptible to exploitation.

Brendan Griffin, a researcher at PhishMe, told SC Media UK that given attackers know their emails will get through technical controls, “their challenge, then, is to convince the recipient to engage with that message and its content. PDF documents are crucial for businesses everywhere and threat actors know this.”

Recent Dridex campaigns show that many potential victims are completely willing to trust PDFs.

This new feature tells us something about the actors behind it, Griffin added: “It is clear that these Locky actors have access to some of the same robust resources as Dridex users but the extent of any relationship is unclear.”

The change from Office documents to PDFs is small, but, said Griffin, “in a security landscape that places emphasis on unpatched vulnerabilities and macro-enabled Office documents, a seemingly-trustworthy PDF inserts just enough of a change that these threat actors believe it will serve them well against even the toughest security controls.”

Once the PDF is opened, it prompts the potential victim to open a Word document, from which Locky's trap is sprung.

From there, this resurgence offers little else that's new. Locky still encrypts its victims files and charges to decrypt them. PhishMe researchers also noted that in this wave of attacks, the ransomers demanded one bitcoin (£978), a significant increase over previous ransoms.

Locky was perhaps the most feared name and certainly the most common name in ransomware in 2016. From February until the end of 2016, it reigned supreme amongst its competitors.

Recent reports suggested that Locky had been blasted into obscurity and overtaken by a rival family, Cerber, which offers stronger encryption, and a service model which allows it to be used by even unsophisticated attackers.

A variety of reasons have been offered for Locky's fall. The first, as recorded in Malwarebytes' first quarter cybercrime report, is its failure to release updated versions and new functionality, while its competitors have been regularly innovating and upgrading. Second, is its rejection by Necurs, a massive botnet  which as of the end of 2016 jilted Locky in favor of financial fraud spam.

It was Necurs that was touted as behind Locky's success, too, helping the ransomware family to achieve the top spot among its competitors in 2016.

According to the Cisco Talos team's Nick Biasini, Necurs has taken the ransomware up once again. In a blog posted on 21 April, Biasini noted 35,000 Locky loaded emails being sent out in a matter of hours.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews