Locky, an emerging ransomware threat that first burst on the scene in February, has already started to mutate and morph into new variants. The changes come just as researchers observe a fresh spike in propagation.
Locky is distributed via email attachments, specifically Word documents disguised as invoices. The docs contain macros which download and install the ransomware. When originally discovered, the botnet behind the spam mail was found to be the same as that which delivers the majority of emails containing the infamous Dridex trojan. Locky is also spread via exploit kits.
As for the ransomware itself, Locky encrypts files based on their extension, and replaces the desktop background with the ransom message. Victims are told to visit one of a choice of .onion or tor2web links to buy Bitcoin, send them to a specific address, and wait for their decryptor download.
According to Check Point researchers, new characteristics related to Locky’s communication have now been observed in the wild, as a part of a new distribution campaign. Initially, Locky’s communication mechanism was well known across the community for displaying a particular communication pattern; however, since March 22, Check Point said that it has encountered a major drop in logs.
“Assuming that Locky probably didn’t go silent all of a sudden, we tried to actively uncover changes in its activity and discover new findings,” the researchers said in a short analysis. At first, a change in headers was uncovered, and then the communication path changed a second time.
“In the midst of our ongoing research of exploit kits, we encountered a second change in the Locky variant delivered by the Nuclear EK,” researchers said. “This time the changes were more drastic, both in the downloader dropped by the EK, and in the C&C key exchange protocol.”
Read more: Locky Ransomware Morphs as Spam Attacks Spike
Locky is distributed via email attachments, specifically Word documents disguised as invoices. The docs contain macros which download and install the ransomware. When originally discovered, the botnet behind the spam mail was found to be the same as that which delivers the majority of emails containing the infamous Dridex trojan. Locky is also spread via exploit kits.
As for the ransomware itself, Locky encrypts files based on their extension, and replaces the desktop background with the ransom message. Victims are told to visit one of a choice of .onion or tor2web links to buy Bitcoin, send them to a specific address, and wait for their decryptor download.
According to Check Point researchers, new characteristics related to Locky’s communication have now been observed in the wild, as a part of a new distribution campaign. Initially, Locky’s communication mechanism was well known across the community for displaying a particular communication pattern; however, since March 22, Check Point said that it has encountered a major drop in logs.
“Assuming that Locky probably didn’t go silent all of a sudden, we tried to actively uncover changes in its activity and discover new findings,” the researchers said in a short analysis. At first, a change in headers was uncovered, and then the communication path changed a second time.
“In the midst of our ongoing research of exploit kits, we encountered a second change in the Locky variant delivered by the Nuclear EK,” researchers said. “This time the changes were more drastic, both in the downloader dropped by the EK, and in the C&C key exchange protocol.”
Read more: Locky Ransomware Morphs as Spam Attacks Spike
