The crooks behind the Locky ransomware are leveraging security flaws in Web-to-email PHP scripts to deliver their malware to victims.

Running a ransomware operation has its costs. Taking into account that the payout rate is only 50 percent of the infected victims and that around only 10 percent of all the people receiving spam emails end up getting infected, most of the time, ransomware operators are shooting blanks.

If you're running a massive operation as are the people behind Locky, who send hundreds of thousands of spam emails per week, serious server bills can mount up.

As such, whenever the crooks are presented with the chance of cutting down costs and raising their profits, they'll always take advantage of it.

According to Cisco's OpenDNS team, during a mid-July spam campaign, the group behind the Locky ransomware identified an unpublished vulnerability in a PHP-based Web-to-email service, which they used to make other people's servers do all the dirty work for them.

The vulnerability allowed the Locky gang to brute-force the Web form and make it send a message, with the Locky payload attached, to an email address of their choosing, instead of the standard email address the form was configured to send messages to.

Updating to the latest version of the contact form script should fix the problem

Brad Antoniewicz, the OpenDNS researcher who spotted this campaign and its mode of operation, says that at the core of the issue was a vulnerability in a PHP contact form script.

The vulnerability was discovered in the past and reported in other products, but not in this specific script. Nevertheless, its owners have inadvertently addressed the security bug in subsequent updates.

"[W]e were unable to find any publicly reported instances of these vulnerabilities in the specific PHP webforms we saw being abused," Antoniewicz notes.

"We did reach out to the vendor(s) we could identify, requesting contact information, but received no reply to date and thus we’re choosing not to identify the specific applications containing the vulnerabilities. Updating to the latest version of your PHP web-to-email form should fix the issue."