Ransomware with apparent links to a Dridex botnet affiliate has been spotted attempting to infect at least 450,000 computer users.
Brandon Levene, Micah Yates, and Rob Downs, all security researchers for Palo Alto Networks, have provided some backstory on the malware, nicknamed “Locky,” in a blog post published on Tuesday:
“Using Palo Alto Networks AutoFocus, Unit 42 observed over 400,000 individual sessions containing the Bartallex macro downloader, which in turned dropped Locky ransomware onto victim machines. Researchers suspect there is a link between the Dridex botnet affiliate 220 and Locky due to similar styles of distribution, overlapping filenames, and an absence of campaigns from this particularly aggressive affiliate coinciding with the initial emergence of Locky.”
A commonly-encountered banking trojan, Dridex was thought to have been at least partially taken out in October of last year. However, researchers spotted the malware earlier this year targeting several UK banks.
It would now appear those operating the Dridex botnet affiliate have decided that ransomware is a more lucrative payload than a regular trojan.
The Locky infection process begins with a fake financial spam email that comes with a malicious Microsoft Word document attached, such as this one described on Dynamoo’s blog:
From: June Rojas <>
Date: 16 February 2016 at 09:34
Subject: ATTN: Invoice J-06593788
Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.
Let us know if you have any questions.
We greatly appreciate your business!
If the user opens the attachment and enables macros, embedded code will execute the malware on the machine.
It is interesting to note that there is a chance to stop the encryption process. Unlike other ransomware, which generate a random encryption key locally, Locky performs a key exchange in memory via its command and control (C&C) infrastructure. If a user were therefore able to disrupt the C&C communication, such as by disconnecting from the web, they could stop the encryption process in its tracks.
If the communication proceeds uninterrupted, however, a ransom screen loads on the computer and redirects the user to the payment portal page:
By this time, the ransomware has encrypted all documents, including those on connected network drives, as hash.locky files and has deleted all VSS snapshots.
Most of the 446,000 individual infection sessions observed by Palo Alto Networks occurred in the United States.
Assuming a 50% infection rate and a one percent payment rate of 0.5 BTC, the attackers can expect to net several hundreds of thousands of dollars via the ransomware.
The research team at Palo Alto Networks believes that the developers of the Locky ransomware have lofty aspirations:
“Locky is aiming high in an effort to join the ranks of other big name ransomware families. Despite some weaknesses in its current implementation, we can expect to see further developments for this threat in the future. Ultimately, successes experienced by one attacker group embolden and inspire others. It goes without saying that cybercrime adversaries will continue to advance efforts to commoditize the already lucrative extortion of victims through encryption-based extortion.”
With this in mind, it is important that users back up their data frequently, do not enable macros on Word email attachments, and patch the software running on their computers as soon as possible.
For more advice on how you can stay protected against Locky and other forms of ransomware, read the report on Sophos’s Naked Security site.