Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development , Ransomware

Locky Returns via Spam and Dropbox-Themed Phishing Attacks

Massive Ransomware Campaign Flings 23 Million Emails in Just 24 Hours

A new Locky campaign infects victims via ransomware-laced spam messages as well as via fake Dropbox phishing pages. (Source: Peter Kruse)

A new attack campaign has been flinging phishing messages as well as ransomware-laced spam emails at potential victims in massive quantities.

See Also: Industry Cyber-Exposure Report: Deutsche Börse Prime Standard 320

The attack campaign involves crypto-locking Locky ransomware.

"Beware. Don't fall for this. Locky is horrid," says Alan Woodward, a computer science professor at the University of Surrey.

The campaign began Monday, according to cloud-based cybersecurity provider AppRiver, which counted more than 23 million related spam emails having been sent in less than 24 hours. That makes it "one of the largest malware campaigns that we have seen in the latter half of 2017," says Troy Gill, manager of security research for AppRiver, in a blog post.

Finnish security firm F-Secure says that the majority of the spam messages that its systems are currently blocking relate to Locky. It notes that some spam contains links to infected sites, while other messages carry malicious attachments.

More than 90% of our spam-trap traffic is currently Locky related. Using simultaneously either URLs or attachments. — News from the Lab (@FSLabs) September 1, 2017

If a system becomes infected with this strain of Locky, crypto-locked files will have the extension ".lukitus" added, which is a Finnish word variously translated by native speakers as "locking" or "locked," according to F-Secure.

The Lukitus variant of Locky was first spotted last month. Rommel Joven, a malware researcher with security firm Fortinet, warned that it was being distributed via email attachments as part of a massive spam campaign being run by the one of the world's biggest botnets, Necurs, which has historically been the principle outlet for Locky attacks (see Locky Ransomware Returns With Two New Variants).

Spam Can Carry Locky Attachments

AppRiver says emails related to the new Locky campaign have featured a variety of subject lines, including these words: documents, images, photo, pictures, please print, scans.

"Each message comes with a zip attachment that contains a Visual Basic Script (VBS) file that is nested inside a secondary zip file," Gill says. "Once clicked, [the] VBS file initiates a downloader that reaches out to greatesthits[dot]mygoldmusic[dotcom] to pull down the latest Locky ransomware. Locky goes to work encrypting all the files on the target system and appending [.]lukitus to the users now-encrypted files."

The ransomware then drops a ransom note on the victim's desktop. "The victim is instructed to install the Tor browser and is provided an .onion (aka Darkweb) site to process payment of 0.5 bitcoins" - currently worth $2,400 - Gill says. "Once the ransom payment is made the attackers promise a redirect to the decryption service."

Locky decryption service, located on a darknet (.onion) site. (Source: AppRiver)

As of Friday, meanwhile, Xavier Mertens, a freelance security consultant and SANS Institute Internet Storm Center contributor based in Belgium, says he's seeing a new wave of malicious spam that uses emails that pretend to carry voice messages.

New #malspam wave: "New voice message xxxx from xxxx" which delivers #Locky — Xavier Mertens (@xme) September 1, 2017

Internet Storm Center reports that some malicious messages tied to Locky are showing fake alerts stating that the HoeflerText font needs to be installed.

Dropbox-Themed Phishing Variation

Not all of the Locky spam emails arrive with malicious attachments; some are designed as phishing attacks that redirect users to real-looking but malicious sites.

Peter Kruse, an e-crime specialist at CSIS Security Group in Denmark, says some emails related to this ransomware campaign are skinned to look like they've come from Dropbox. Some will attempt to trick recipients into clicking on a "verify your email" link. Kruse says the attacks are being launched by the group tied to the Affid=3 [aka affiliate ID=3] version of Locky.

The dropbox themed spammails you have been receiving the past 10 hours is indeed #locky : Affid=3 & DGA=55882, adds the .Lukitus extension. pic.twitter.com/8I3s6YdJ1u — peterkruse (@peterkruse) September 1, 2017

If victims click on the link, they're redirected to one of a number of websites. Often, these are legitimate sites or hosting accounts that have been accessed by attackers who add a malicious "dropbox.html" file to the home directory.

List of domains to which some current phishing emails have been linking. Note: Visiting these domains may result in a Locky or other ransomware infection. (Source: JamesWT post to Pastebin)

The dropbox.html file that loads is designed to look like the legitimate Dropbox site.

Clicking on a link can result in a zipped attack file being downloaded, per the VBS attack detailed above, according to security researcher JamesWT, a former member of the anti-malware research group called Malware Hunter Team.

Alternately, clicking on the link may result in the site attempting to execute a malicious JavaScript file that functions as a dropper, meaning it then attempts to download a payload file.

In some attacks, this payload file is Locky. But JamesWT tells ISMG that malware from the campaign that he uploaded to malware-checking service VirusTotal was identified as being Shade ransomware.

In response, Kruse at CSIS Security Group says that his intelligence has tied this attack campaign to the group that has long been behind the Affid=3 version of Locky. He says the variability - the JavaScript or payload sometimes leading to Locky, and other times leading to Shade - could involve the attack serving up payloads tailored to a victim's location, or signal an upcoming change of payload.

It's not clear how many people may have fallen victim to the new Locky or Shade campaigns or have paid the demanded ransom. The bitcoin address shown in one Locky ransom message, for example, has received no payments.

View of a desktop infected by Shade, after it has crypto-locked files. (Source: @JAMESWT_MHT)

Locky: No Free Decoder

Security researchers have sometimes been able to create free decryptors for victims whose files have been crypto-locked - and the originals deleted - by ransomware (see Two New Ransomware Decryptors Give Victims a Free Out).

Such decryptors may exploit errors ransomware developers made when attempting to implement their encryption scheme. Or sometimes, the encryption keys used by attackers can fall into security researchers' hands, for example, if police bust a cybercrime gang, if a rival gang hacks and doxes their competition, or if attackers simply show some belated remorse.

Unfortunately, "there currently are no publicly shared methods to reverse this Locky strain," AppRiver's Gill says.

To defend against ransomware attacks, and avoid ever having to consider paying a ransom, security experts recommend using anti-malware software and keeping the software, as well as signatures, as current as possible. Also keep current backups of all systems, and store those backups offline, because many types of crypto-locking can encrypt files not just on hard drives, but also reachable via the network or cloud services.

***

Updated (September 1) to note that some related attacks have been hitting victims with Shade ransomware instead of Locky.