Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
4/26/2017
09:00 AM
Connect Directly
Twitter
RSS
50%
50%

Locky Returns with a New (Borrowed) Distribution Method

A layered defense is a strong security posture for dealing with a threat like Locky, that can come in different disguises.

In our Q1 2017 Tactics and Techniques report, Cerber beat all the competition by a wide margin and achieved the top position as the most distributed ransomware via spam and drive-by downloads.

This happened while Locky mysteriously disappeared, in part because of a slow down with the Necurs botnet. But just like that, it is back in full swing thanks to the botnet’s wide scale distribution.

The first samples that came through were malicious PDF files used as a springboard to launch the now all too famous Word macros. Why insert an additional step into the attack chain? It seems threat actors have users just where they want and have mastered the art of social engineering to the point where one or two additional tasks are not a problem. 

Yet, for defenders these little changes can create issues, especially when automating the analysis of spam via sandboxes. Also, was it pure coincidence that the Necurs spam run was launched just before the weekend? 

Necurs is a resilient botnet which has distributed a variety of payloads over the years, from banking Trojans to ransomware. More recently it even did non-malware spam with pump-and-dump scams. Takedowns have only slowed down the botnet operators who can count on their malware to remain buried deep into systems, and avoid detection from major antivirus scanners.

Now that Locky is back, there is no doubt it will slowly climb back up to take the market shares that were once his. At 0.5 BTC ($623) a pop, the crooks are bound to make enough money to reinvest in the distribution channels and keep the wheel moving.

The best protection against ransomware is by performing backups on a regular basis so that in times of trouble, you can roll back your systems to a previous clean state and recover your data. However, backups are not always done regularly - if at all - or perhaps without due precautions, for example, leaving a plugged USB storage that gets infected.

IT admins will want to watch for various file types coming as attachments and, most importantly, to establish global group policies that disable certain risky features in Office (i.e. macros, OLE objects) that prevent social engineered users from making bad choices.

Locky - like any other malware - can also be mitigated in different ways, for example by blocking access to its command and control center, or simply based on its encrypting behavior. A layered defense is a strong security posture to deal with a threat that can come in different disguises.

Read the full digest on Malwarebytes Labs here.

Jérôme Segura is a senior security researcher at Malwarebytes Labs where his duties range fromstudying web exploits to tracking down online scammers. He spent over five years cleaning malware offpersonal computers using existing tools and writing his own ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
How Systematic Lying Can Improve Your Security
Lance Cottrell, Chief Scientist, Ntrepid,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Malwarebytes protects businesses against malicious threats that escape detection by traditional antivirus solutions. Malwarebytes Anti-Malware, the companys flagship product, has a highly advanced heuristic detection engine that has removed more than five billion malicious threats from computers worldwide. SMBs and enterprise businesses worldwide trust Malwarebytes to protect their data. Founded in 2008, the company is headquartered in California with offices in Europe, and a global team of researchers and experts. For more information, please visit us at www.malwarebytes.com/business.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.