Cybercriminals behind the Locky ransomware have revamped the malware’s code three times in 30-day period and blasted out massive spam campaigns.
According to researchers at Trustwave, the latest variant of Locky ransomware is called Ykcol (that’s Locky spelled backwards) and was part of a Sept. 19 spam blast targeting 3 million inboxes within a three-hour period. Messages were sent from the notorious Necurs botnet.
That campaign dovetails recent campaigns that pushed out Locky variants Lukitus and Diablo during the same 30-day period between Aug. 14 and Sept. 19. The Lukitus campaign started at the end of August and lasted more than a week, sending 15 million to 20 million emails.
“The behavior is the same, but the extensions used to encrypt the files and the malware binaries are constantly changing,” said Karl Sigler, threat intelligence manager for SpiderLabs at Trustwave. With Ykcol, encrypted files use the extension .ykcol. Sigler said Locky authors also “tweak” the malware’s binaries, only slightly changing code such as variable names or internal logic.
“They are constantly updating the malware to evade detection,” Sigler said.
As with a previous Lukitus version of the Locky, the Ykcol ransomware follows the same convention and is packed with Game of Thrones references. References in the malware’s Visual Basic script include “Aria,” “HoldTheDoor,” “SansaStark,” “Throne,” and the misspelled “JohnSnow,” and “RobertBaration.”
“What is most interesting with Ykcol is how it has changed its strategy when it comes to getting onto the victim’s system,” Sigler said.
Where Diablo used fake invoices and Lukitus tried everything under the sun from malicious URLs, Office docs and compressed script files (java or .vbs), Ykcol’s strategy is to send “vague” invoices that show up blank.
“With Ykcol they appear to limit the campaign to a fake invoice with minimal information. The attachment is a 7zipped VBScript that downloads Locky,” he said. With 7zipped files, some A/V scanners may have trouble inspecting it since Zip and RAR are more typical compression methods.
If the malicious attachment is engaged a JS downloader uses either a XMLHttpRequest object (that can be used to request data from a web server) or PowerShell commands to download the binary files. Additionally, the attachment’s macro script is also responsible for executing the downloaded binaries.
“It’s about options. Local endpoint protection may have heuristics looking for scripts to invoke Powershell or the XMLHTTP methods of downloading. By using both, one or the other may be able to bypass those protections,” Sigler said.
He added, from Diablo to Ykcol the cost of ransom dropped from .5 bitcoins to .25 bitcoins or fr $2000-$2500 to $1000-$1250. He also noted, while there is a free decryption key for older versions of Locky, it won’t work on the newer versions.
Over the past two years, 35 unique ransomware strains earned cybercriminals $25 million, with Locky and its many variants being the most profitable, according to a study released in July by Google, Chainalysis, UC San Diego, and the NYU Tandom School of Engineering. Locky has pulled in $7 million in ransomware payments since 2016.
“These behaviors reveal a constantly evolving bag of tricks, where the campaigns change daily, yet deliver the same ultimate payload,” wrote Trustwave in an upcoming blog post outlining the research.
Trustwave said it suspects Ykcol has run its course and that cybercriminals behind the Locky ransomware are already working on an updated variant.