The intense spam campaigns signal a new attack strategy for those behind Locky ransomware. The threat vector, which is through spam email, is not new at all. “The sheer volume and high influx of Locky ransomware spam over the past weeks is what makes it noteworthy,” said Rodel Mendrez, a security researcher with Trustwave, in an email exchange with Threatpost.
The campaigns, Trustwave said, are originating from the same botnet responsible for previously spammed documents with malicious macros which downloaded the Dridex banking trojan.
“The actors behind the campaigns have merely changed the delivery mechanism (.js attachment) and the end malware – ransomware,” wrote Mendrez in a security bulletin posted to the company’s SpiderLabs research blog. “It’s the same botnet, different day, and different payload,” Mendrez wrote.
In the case of the Dridex banking malware, victims received an email attachment disguised as an invoice but was actually a document-based macro attack.
A unique webpage is generated for each victim that can only be accessed through Tor anonymous browser, Trustwave reports. This page contains a bitcoin payment setup where the victim could pay for a decrypter tool.
Trustwave recommends admin bolster their spam defenses by blocking the Locky spam attacks at the email gateway by filtering out inbound email with .js attachments and Office documents with macros.