In the cat-and-mouse game between security providers and malware authors, cybercriminals keep innovating and experimenting – a dynamic seen in the recent resurgence of the Locky ransomware.
From a security perspective, 2016 was certainly “The Year of Locky.” In one single day last year, our systems caught 37 billion Locky emails, dwarfing the size of other malware campaigns. But Locky went quiet at the beginning of 2017, and aside from a brief revival here and there, it slipped from the conversation.
But – voila! – August arrived, and Locky
experienced a major resurgence, which continues to this day. There’s a small, instructive story there – or at least a theory of mine – which shines a light on the Darwinism of the “malware marketplace.”
Wasn’t Jaff the “New Locky?”
Earlier this year I was trying to figure out why Locky stopped – it had been tremendously successful. Then along
came the Jaff ransomware in May. Aha! Jaff is widely understood to be from the same cybercriminal gang behind Locky and the Dridex banking trojan (among others), and it seemed to hold answers to Locky’s mysterious disappearance.
To provide a quick background on Jaff – it came to full active life the same week as the headline-grabbing WannaCry. Many may have missed it, but my security lab team and I were certainly aware of it – in fact, the day before
WannaCry took off (May 12), our security cloud caught 65 million Jaff ransomware emails delivered by the Necurs botnet. But because of the impact of WannaCry, Jaff got little attention outside of the security lab community.
Given the fact that Jaff was being distributed by the same botnet as Locky, it made sense that Jaff had perhaps replaced Locky, or at least become the favored weapon. It appeared to be a new, improved Locky in many ways – we even referred to it as “Locky 2,” and speculated amidst the WannaCry outbreak that it might be the more concerning ransomware to watch.
