The ransomware called Locky, which was considered a major player in the ransomware market, reemerged in April after its disappearance in March 2017. The ransomware made its return after the shutdown of the Necurs botnet, which is known to be responsible for the distribution of the Dridex and Locky malware. The break between the death and revival of the infection took only a few weeks, and new unsuspecting computer users have been hit by a wave of malicious emails containing a fake .pdf attachment.
The Locky ransomware scheme is not new as the email subject line offers the user to open an invoice or a payment receipt. This tactic is very often utilized to deceive small and medium businesses, governments, healthcare institutions, transportation corporations, individual users, etc. The subject line of the emails distributing the Locky ransomware may differ, but some of the latest ones include "Receipt 435", "Payment#229", "Payment Receipt_739", "Payment-2677", and "Payment Receipt 2724." It is essential to be very careful with such emails, and their names do not provide any specific information. Usually the installation of the infection starts only when the attachment is opened or downloaded; hence, if no service or product has been ordered lately, it is advisable to ignore the invoice. Moreover, nowadays invoices are usually sent to the buyer immediately after the purchase as they are generated automatically.
Another fact that tricks the receivers of malicious spam letters is that malware developers choose the names of existing organizations, such as Symantec or Crown Holdings, as senders. Sometimes the name of a real person is chosen when the attack is carried out in a specific region. There is no point in checking the sender as this is not likely to give any positive result. For example, the fake .pdf file executing the Locky malware can supposedly be sent from stmargaretsbrookfield.org.uk, which refers to the parish church of St Margaret.
Moreover, it is also important to pay attention to the file name of the attachment. When the file is named randomly, e.g., P2724.pdf or P435.pdf, as in the case of the latest Locky version, it is a sign that the content of the file should not be taken for granted.
When the .pdf file is launched, a Word document with embedded macro commands opens. A narrow toolbar-like pop-up appears on the screen, asking the user to click on the Enable content button. This request may prevent Internet-savvy users from enabling Macros, but little is known about such instances. Once the Enable content button is clicked, an encrypted text file is downloaded from sherwoodbusiness.com/9yg65 and converted to redchip2.exe (build using the 32-bit architecture). The file is added to the %Temp% directory.
Microsoft Office 2010 and later versions have the Protected View mode, which opens Microsoft documents without editing functions. This mode should be enabled to prevent running files with embedded infections; otherwise, shifting from the read-only mode to the one that allows you to edit the content may lead to unwanted results.
The analyses of different Locky versions have showed that this ransomware arrives at a PC with a full pack of features allowing the attackers to prevent users from restoring their encrypted data. The basic features of the Locky ransomware are custom encrypted communication, Bitcoin payment, and strong RSA-2048 and AES-128 file encryption. The threat can encrypt over 160 file types, including databases and virtual disks. One of the Locky versions is known to have a hard-coded seed added to the domain generation algorithm allowing the developers of this threat to deactivate the infection on a Russian computer. The latest version of the Locky malware also uses the RSA-2048 and AES-128 encryption and appends the .OSIRIS extension to the file encrypted. Unfortunately, this threat still cannot be decrypted.
Through its short life span, the Locky ransomware was used for several aggressive attacks. It was first detected in February 2016, and is known to be released by the Necrus botnet. Two days later, a new variant was spread, encrypting different types of files and appending the .locky extension. The first 16 characters of the file name would be the unique ID of the victim followed by the file name. The ransom payment varied from $210 to $420 USD.
The emails sent to the victims could be regarded as unreliable as their subject line provided no precise information. For example, the subject line of the email sent on August 9th was "Documents Requested" with an attachment file named "Untitled(354).docm." The attachment named "Vicky has asked me to forward you the finance documents (Please see attached)" was sent on August 15th with the subject line "Emailing - 1050742880188." Malware researchers strongly advise computer users against interacting with such emails as the user cannot foresee possible consequences.
Last year, because of successful phishing campaigns, each of the three wallets associated with the Locky ransomware earned over $50 million dollars. In February 5th, 2016, Hollywood Presbyterian Medical Center was attacked by a ransomware infection that asked to pay $17,000 in bitcoins. The hospital staff was prevented from using the institution's computers. In order to restore normal operations as quickly as possible, the institution paid the ransom. Healthcare institutions are only one of the ransomware infection targets. Other targets include telecommunication, transportation, manufacturing, service providers, entertainment firms, and companies from other spheres.
In January 2017, the Locky ransomware was known to have nearly 70% of the market share, making itself a very strong competitor of the Cyber malware. However, by March, Locky's market share dropped to under 2 percent. The fact that the Necurs botnet went offline, which resulted in lower numbers of infected computers, has been considered to be one of the major causes for the change. Moreover, malware researchers speculated that the group behind the ransomware had decided to set out a new business plan. The actual reason remains unclear, but the fact that the new spam wave took place a few weeks later after the Necurs botnets vanished suggests that this short break was used to scheme new phishing attacks.