Locky Variant Changes C2 Communication, Found in Nuclear EK

Magnitude exploit kit malvertising ransomware cryptowall

A Locky ransomware variant is finding new life by mixing up its attack strategy.

Security experts warn companies need to brace for new harder-to-detect and more determined variants of the Locky ransomware spotted recently in the wild. The news comes just as reported Locky ransomware attacks have waned in recent weeks.

Locky is now trying to evade detection by changing the way the ransomware communicates from an infected computer to a remote server that downloads the actual Locky ransomware, according to Check Point Software Technologies, based in San Carlos, Calif.

Check Point said it has also detected Locky ransomware delivered via the Nuclear Exploit Kit for the first time. “This shows a maturing of Locky from its primary means of distribution (spam) to one that enlists the help of black market exploit kit vendors,” said researcher Maya Horowitz, group manager of Check Point’s Intelligence Operations Groups.  

She said that Locky is slowly following the lead of top ransomware variants CryptoWall and TeslaCrypt that are spread evenly by spam and exploit kits. Locky, is still primarily spread via spam, Horowitz said.

Check Point has observed at least two recent changes in the way Locky communicates between an infected computer and the command and control server that delivers the Locky payload. Horowitz said it’s vitally important to understand those changes in order to thwart attacks.

The changes are not dramatic, she said. Rather attackers have simply changed the order of the command requests from the infected computer – just enough – to fool security scans looking for the Locky ransomware communication. Those technical changes are outlined in a Check Point research brief posted Monday.

“The communication has yet again changed,” wrote Check Point. “In the midst of our ongoing research of exploit kits (EK), we encountered a second change in the Locky variant delivered by the Nuclear EK. This time the changes were more drastic, both in the downloader dropped by the EK, and in the C&C key exchange protocol.”

According Check Point, Locky has been potent since its initial detection on Feb. 16 – with attempts to infect customers logged in more than 100 countries. The preferred Locky attack vector has been email messages that contain an attached Word document embedded with a malicious macro. Once the macro is engaged, a script is initiated and Locky is downloaded onto a victim’s PC. Check Point’s latest research hopes to alert the security community to the new way Locky is communicating outside of the infected computer before the Locky ransomware is downloaded to the system.

Since its detection in February, Check Point researchers have documented at least 10 different Locky downloader variants. In those cases, each variant has tried to avoid detection by hiding the Locky payload in different file types (.doc, .docm, .xls and also .js) that claim mostly to be invoice attachments.

Locky, according to Check Point, is not a particularly unique ransomware. Instead, Locky’s deadly success is attributed to effective spam campaigns.

Security firm Trustwave, in a March 10 report, said it was tracking a massive spam attack that included the Locky ransomware. At the time, Trustwave reported, malware-laced spam tied to Locky had represented 18 percent of total spam collected in its honeypots during a seven-day campaign. Trustwave said malware-infected spam typically represent less than 2 percent of total spam.

Suggested articles