It’s been difficult to keep track of all the different strains of ransomware that have plagued users over the last year or two. Unlike many of them the latest to grab headlines is spreading through a decidedly old school vector: document-based macros.
Named Locky, the ransomware appears to borrow a technique from the Dridex banking malware. Victims receive an email with an attachment disguised as an invoice. Once the user opens the document, a rigged Word file, they’re encouraged to enable macros. After doing so the malware downloads an executable, executes and begins encrypting users’ files.
Like most strains of ransomware, text files left behind by the attackers warn victims their files have been encrypted and that to retrieve them they’ll need to download Tor, visit a special site, and pay a certain amount of Bitcoin.
Several firms have reportedly come across the ransomware, including a trio of researchers at Palo Alto Networks who observed more than 446,000 sessions initiated by Bartalex, a macro downloader that dropped Locky onto machines across the United States, Canada, and Australia. Bartalex has previously been spotted dropping malware like Pony loader and the Dyre banking Trojan though Word and Excel macros.
The connection between Dridex and Locky doesn’t appear to be accidental, researchers claim.
Brandon Levene, Micah Yates, and Rob Downs, threat researchers with Palo Alto, believe there’s a connection between the two groups, especially given the “similar styles of distribution, overlapping filenames, and an absence of campaigns.”
According to Lawrence Abrams, who blogs at BleepingComputer.com and has also seen Locky, the ransomware renames files with a random series of numbers and letters, followed by the format”.locky.” Perhaps more troubling, the malware encrypts data on unmapped network shares, a trend Abrams predicts may be the new normal when it comes to ransomware.
“Encrypting data on unmapped network shares is trivial to code and the fact that we saw the recent DMA Locker with this feature and now in Locky, it is safe to say that it is going to become the norm,” Abrams wrote Tuesday.
According to another group of researchers at Fortinet, who also came across the malware, the way it reports to command and control servers and its domain generation algorithm capabilities – which resemble CryptoLocker’s – suggest the criminals behind Locky are experienced.
Kevin Beaumont, who blogs about security on his personal Medium blog, wrote Wednesday that he was able to intercept Locky traffic and record the following visualization:
Live #Locky visualisation. pic.twitter.com/tVRULtidNT
— Kevin Beaumont (@GossiTheDog) February 17, 2016
Beaumont, who tweeted at one point he was seeing 3,680 successful Locky infections an hour via a command and control domain he registered, estimated that at its current rate, approximately a quarter of a million of PCs could be infected after just three days.
I'm seeing 3680 new successful #Locky infections per hour via the C2 domain I registered.
— Kevin Beaumont (@GossiTheDog) February 17, 2016
Earlier this week reports surfaced that ransomware managed to cripple a Los Angeles area hospital, Hollywood Presbyterian Medical Center. According to a local Fox affiliate hospital workers shut down machines there earlier this month after attackers demanded 9,000 Bitcoin, or just over $3M to unlock their records.
According to the Los Angeles Times officials at the hospital didn’t call the Los Angeles Police Department until last week and the FBI stepped in from there. In the meantime doctors have reportedly gone analog: Relying on paper notes and documents to get by.
