Locky Ransomware On Aggressive Hunt

A new variant of ransomware known as Locky (detected by Symantec as Trojan.Cryptolocker.AF) has been spreading quickly since it first appeared on Tuesday (February 16). The attackers behind Locky have pushed the malware aggressively, using massive spam campaigns and compromised websites. Millions of spam emails spread new ransomware variant on the day it first appeared.

The spam campaigns spreading Locky are operating on a massive scale. FireEye researchers have spotted a Locky ransomware campaign targeting the healthcare sector around the world.

One of the main routes of infection has been through spam email campaigns, many of which are disguised as invoices. Word documents containing a malicious macro are attached to these emails. Symantec detects these malicious attachments as W97M.Downloader. If this macro is allowed to run, it will install Locky onto the victim’s computer. Locky encrypts files on victims’ computers and adds a .locky file extension to them. The ransom demand varies between 0.5 to 1 bitcoin (approximately US$210 to $420).

Healthcare sector is one of the most lucrative targets for cyber-criminals these days: “Cyber crime has found its sweet spot. Healthcare records are valuable and system uptime is so critical that hospitals are more likely to pay a ransom quickly in order to get their files back. Reports indicate that over 23 million messages have been sent in this campaign. The messages contain common subjects like "please print", "documents", "photo", "Images", "scans" and "pictures". However, the subject texts may change in targeted spear phishing campaigns.

The messages contain "zip" attachments with Visual Basic Scripts (VBS) embedded in a secondary zip file. The VBS file contains a downloader which polls to domain "greatesthits[dot]mygoldmusic[dot]com" (please do not visit this malicious website) to download variants of Locky ransomware. For details regarding Locky ransomware, please refer to alert regarding Locky ransomware issued in February 2016. here: http://www.cyberswachhtakendra.gov.in/alerts/locky_ransomware.html

There is also an advisory from the It department (CERT,MeitY, Govt. of India) on the usage. It is also reported that a spam campaign showing links to fake dropbox sites is being used to spread Locky variants. If the pages are viewed in Chrome or Firefox, they show a fake notification stating “you don't have the HoeflerText font”. These fake notifications had an "update" button that returns a malicious JavaScript (.js) file. Users are advised to exercise caution while opening emails and organizations are advised to deploy anti spam solutions and update spam block lists.

Tags: Locky Ransomware, new ransomware, spam emails, locky ransomeware detected by symantec, trojan, cryptolocker, FireEye, healthcare sector, W97M.Downloader, CERT, MeitY, Govt of India. varindia