- Jul 22, 2014
- 2,525
The criminal group behind the Locky ransomware has updated their malware, and newer versions of this threat are being installed disguised as DLL files, instead of the classic EXE binaries.
The Locky ransomware has morphed more than any other ransomware active today. The reason behind this is because the malware was created and developed by the same group that created the Dridex banking trojan, who also owns one of the most active botnets on the Internet.
As such, resources are never scarce with this group, who have both the money, time, and knowledge to evolve their ransomware with new techniques at regular intervals, in order to avoid security software and keep security researchers on their toes.Locky experiments with DLLs instead of EXEsThe latest of this change is an update to how Locky reaches its victims and how the encryption process starts.
According to cyber-security vendor Cyren,recent Locky versions drop DLL files on infected computers, instead of EXE files. The rest of the infection chain remains as we know it.
Locky reaches victims via spam messages that have a ZIP file attached to the email body. Unzipping this ZIP drops a JavaScript file, which when executed downloads the DLL file (instead of the classic EXE).
This file is injected into a process, and its malicious code executed, which starts the file encryption operation. Another new feature is that this DLL file uses a custom packer to prevent anti-malware scanners to easily detect it.
This version locks files and appends the .zepto extension at the end, meaning this a version of the Zepto ransomware, another name for Locky, but still the Locky ransomware.Locky has suffered many changesIn the past, Locky has suffered many other mutations. Some have lasted, some not.
For example, Locky spam using Office documents and WSF files instead of ZIP & JS files has gone up. Other versions have used websites with vulnerable PHP forms to send the email spam, instead of the classic botnets used by the Dridex gang.
Towards the end of July, Locky experimented with embedding the entire ransomware binary in the JS file and then reconstructing the EXE file when executing the JS file, instead of downloading it from an online server.
Another version also added support for working without an Internet connection, even if it featured a weaker encryption method.
It's these constant updates that have kept Locky one step ahead of security researchers, and that's why a decrypter has never been created for Locky until now.
The Locky ransomware has morphed more than any other ransomware active today. The reason behind this is because the malware was created and developed by the same group that created the Dridex banking trojan, who also owns one of the most active botnets on the Internet.
As such, resources are never scarce with this group, who have both the money, time, and knowledge to evolve their ransomware with new techniques at regular intervals, in order to avoid security software and keep security researchers on their toes.Locky experiments with DLLs instead of EXEsThe latest of this change is an update to how Locky reaches its victims and how the encryption process starts.
According to cyber-security vendor Cyren,recent Locky versions drop DLL files on infected computers, instead of EXE files. The rest of the infection chain remains as we know it.
Locky reaches victims via spam messages that have a ZIP file attached to the email body. Unzipping this ZIP drops a JavaScript file, which when executed downloads the DLL file (instead of the classic EXE).
This file is injected into a process, and its malicious code executed, which starts the file encryption operation. Another new feature is that this DLL file uses a custom packer to prevent anti-malware scanners to easily detect it.
This version locks files and appends the .zepto extension at the end, meaning this a version of the Zepto ransomware, another name for Locky, but still the Locky ransomware.Locky has suffered many changesIn the past, Locky has suffered many other mutations. Some have lasted, some not.
For example, Locky spam using Office documents and WSF files instead of ZIP & JS files has gone up. Other versions have used websites with vulnerable PHP forms to send the email spam, instead of the classic botnets used by the Dridex gang.
Towards the end of July, Locky experimented with embedding the entire ransomware binary in the JS file and then reconstructing the EXE file when executing the JS file, instead of downloading it from an online server.
Another version also added support for working without an Internet connection, even if it featured a weaker encryption method.
It's these constant updates that have kept Locky one step ahead of security researchers, and that's why a decrypter has never been created for Locky until now.
