Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
4/26/2017
09:00 AM
Connect Directly
Twitter
RSS
50%
50%

Locky Returns with a New (Borrowed) Distribution Method

A layered defense is a strong security posture for dealing with a threat like Locky, that can come in different disguises.

In our Q1 2017 Tactics and Techniques report, Cerber beat all the competition by a wide margin and achieved the top position as the most distributed ransomware via spam and drive-by downloads.

This happened while Locky mysteriously disappeared, in part because of a slow down with the Necurs botnet. But just like that, it is back in full swing thanks to the botnet’s wide scale distribution.

The first samples that came through were malicious PDF files used as a springboard to launch the now all too famous Word macros. Why insert an additional step into the attack chain? It seems threat actors have users just where they want and have mastered the art of social engineering to the point where one or two additional tasks are not a problem. 

Yet, for defenders these little changes can create issues, especially when automating the analysis of spam via sandboxes. Also, was it pure coincidence that the Necurs spam run was launched just before the weekend? 

Necurs is a resilient botnet which has distributed a variety of payloads over the years, from banking Trojans to ransomware. More recently it even did non-malware spam with pump-and-dump scams. Takedowns have only slowed down the botnet operators who can count on their malware to remain buried deep into systems, and avoid detection from major antivirus scanners.

Now that Locky is back, there is no doubt it will slowly climb back up to take the market shares that were once his. At 0.5 BTC ($623) a pop, the crooks are bound to make enough money to reinvest in the distribution channels and keep the wheel moving.

The best protection against ransomware is by performing backups on a regular basis so that in times of trouble, you can roll back your systems to a previous clean state and recover your data. However, backups are not always done regularly - if at all - or perhaps without due precautions, for example, leaving a plugged USB storage that gets infected.

IT admins will want to watch for various file types coming as attachments and, most importantly, to establish global group policies that disable certain risky features in Office (i.e. macros, OLE objects) that prevent social engineered users from making bad choices.

Locky - like any other malware - can also be mitigated in different ways, for example by blocking access to its command and control center, or simply based on its encrypting behavior. A layered defense is a strong security posture to deal with a threat that can come in different disguises.

Read the full digest on Malwarebytes Labs here.

Jérôme Segura is a senior security researcher at Malwarebytes Labs where his duties range fromstudying web exploits to tracking down online scammers. He spent over five years cleaning malware offpersonal computers using existing tools and writing his own ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.