A massive Locky ransomware campaign spotted this month targets primarily the healthcare sector and is delivered in phishing campaigns. The payload, researchers at FireEye said, is dropped via .DOCM attachments, which are macro-enabled Office 2007 Word documents.
Especially hard hit are hospitals in the United States followed by Japan, Korea and Thailand, according to research published Wednesday by FireEye.
Researcher Ronghwa Chong said this blitz of macro-based Locky ransomware is a new tactic for cybercriminals who in March primarily distributed Locky ransomware via spam campaigns with the payload delivered via JavaScript attachments.
“These detection spikes and change in tactics suggest that the cybercriminals are investing more to infect systems and maximize their profits,” Chong wrote. “Additionally, we have observed that the delivery of Dridex via this distribution channel seems to have stopped, or nearly so, which could explain why we are seeing the Locky uptick.”
It was just this June when researchers at Proofpoint observed an uptick in the distribution of the Dridex banking Trojan and a new version of the Locky ransomware being distributed via a resurgence of the Necurs botnet.
By taking a closer look at the Locky spoofed emails, network pattern of the ransomware and the DOCM attachment, researchers were able to find a distinct connection between major waves spam pushed out by attackers this month that indicate coordinated efforts by single or multiple attackers.
“Each email campaign has a specific ‘one-off’ campaign code that is used to download the Locky ransomware payload from the malicious malware server,” Chong noted. Researchers also noted a malicious URL embedded within the Locky macro code that is encoded using an identical encoding function that varies by a specific key for each campaign.
Along with the healthcare sector, also hit hard this month by Locky are the telecom, transportation and manufacturing industries.
Locky ransomware is best known for a high-profile infection at Hollywood Presbyterian Medical Center in California in February; the hospital paid a $17,000 ransom to recover its files. According to security experts, the healthcare sector has been singled out by attackers who view the industry as low hanging fruit when it comes to relying on outdated security procedures coupled with high-value assets.
Locky meanwhile has made notable gains over the last several months and now ranks a top malware threat, according to a recent Proofpoint report (PDF). The research said that among email attacks observed in Q2 that used malicious document attachments, 69 percent featured Locky ransomware. “This is a 45 percent increase over Q1 for Locky alone,” Proofpoint said.
“The volume of Locky ransomware downloaders is increasing and the tools and techniques being used in campaigns are constantly changing. In this instance, we are seeing a shift from using a JavaScript based downloader to infect victims to using the DOCM format. On top of that, cybercrime trends have shown that attackers are distributing more ransomware these days than banking trojans, as the former appears to be more lucrative,” Chong wrote.