Researchers are tracking a massive spam campaign pelting inboxes with Locky ransomware downloaders in the form of JavaScript attachments. The huge spike, reported by security firm Trustwave, represents an extraordinary uptick in the attempted distribution of the Locky ransomware.
Trustwave said over the last seven days, malware-laced spam has represented 18 percent of total spam collected in its honeypots. Trustwave said malware-infected spam typically represent less than 2 percent of total spam. The recent increase to 18 percent is almost entirely traced to ransomware JavaScript downloaders. Campaigns aren’t continuous, Trustwave reported, but are delivered in hour-long bursts.
The intense spam campaigns signal a new attack strategy for those behind Locky ransomware. The threat vector, which is through spam email, is not new at all. “The sheer volume and high influx of Locky ransomware spam over the past weeks is what makes it noteworthy,” said Rodel Mendrez, a security researcher with Trustwave, in an email exchange with Threatpost.
The campaigns, Trustwave said, are originating from the same botnet responsible for previously spammed documents with malicious macros which downloaded the Dridex banking trojan.
“The actors behind the campaigns have merely changed the delivery mechanism (.js attachment) and the end malware – ransomware,” wrote Mendrez in a security bulletin posted to the company’s SpiderLabs research blog. “It’s the same botnet, different day, and different payload,” Mendrez wrote.
In the case of the Dridex banking malware, victims received an email attachment disguised as an invoice but was actually a document-based macro attack.
This most recent Locky ransomware spam campaign includes a JavaScript attachment that downloads Locky ransomware. There is no vulnerability that Locky is taking advantage of, Mendrez said. “It uses social engineering and takes advantage of human gullibility to infect systems. Even the up-to-date systems are not protected,” he said.
Trustwave said the typical spam message includes an invoice-related subject line. If the recipient downloads and attempts to open the JavaScript attachment, the Locky ransomware looks for list of file extensions on the PC’s hard drive and encrypts associated documents. Ransom notes are dropped in every encrypted file’s folder and the desktop background is also replaced with a ransom note image. “All of your files are encrypted with RSA-2048 and AES-128 ciphers. Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server”
A unique webpage is generated for each victim that can only be accessed through Tor anonymous browser, Trustwave reports. This page contains a bitcoin payment setup where the victim could pay for a decrypter tool.
Trustwave recommends admin bolster their spam defenses by blocking the Locky spam attacks at the email gateway by filtering out inbound email with .js attachments and Office documents with macros.