Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
4/26/2017
09:00 AM
Connect Directly
Twitter
RSS
50%
50%

Locky Returns with a New (Borrowed) Distribution Method

A layered defense is a strong security posture for dealing with a threat like Locky, that can come in different disguises.

In our Q1 2017 Tactics and Techniques report, Cerber beat all the competition by a wide margin and achieved the top position as the most distributed ransomware via spam and drive-by downloads.

This happened while Locky mysteriously disappeared, in part because of a slow down with the Necurs botnet. But just like that, it is back in full swing thanks to the botnet’s wide scale distribution.

The first samples that came through were malicious PDF files used as a springboard to launch the now all too famous Word macros. Why insert an additional step into the attack chain? It seems threat actors have users just where they want and have mastered the art of social engineering to the point where one or two additional tasks are not a problem. 

Yet, for defenders these little changes can create issues, especially when automating the analysis of spam via sandboxes. Also, was it pure coincidence that the Necurs spam run was launched just before the weekend? 

Necurs is a resilient botnet which has distributed a variety of payloads over the years, from banking Trojans to ransomware. More recently it even did non-malware spam with pump-and-dump scams. Takedowns have only slowed down the botnet operators who can count on their malware to remain buried deep into systems, and avoid detection from major antivirus scanners.

Now that Locky is back, there is no doubt it will slowly climb back up to take the market shares that were once his. At 0.5 BTC ($623) a pop, the crooks are bound to make enough money to reinvest in the distribution channels and keep the wheel moving.

The best protection against ransomware is by performing backups on a regular basis so that in times of trouble, you can roll back your systems to a previous clean state and recover your data. However, backups are not always done regularly - if at all - or perhaps without due precautions, for example, leaving a plugged USB storage that gets infected.

IT admins will want to watch for various file types coming as attachments and, most importantly, to establish global group policies that disable certain risky features in Office (i.e. macros, OLE objects) that prevent social engineered users from making bad choices.

Locky - like any other malware - can also be mitigated in different ways, for example by blocking access to its command and control center, or simply based on its encrypting behavior. A layered defense is a strong security posture to deal with a threat that can come in different disguises.

Read the full digest on Malwarebytes Labs here.

Jérôme Segura is a senior security researcher at Malwarebytes Labs where his duties range fromstudying web exploits to tracking down online scammers. He spent over five years cleaning malware offpersonal computers using existing tools and writing his own ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
4 Ways to Fight the Email Security Threat
Asaf Cidon, Vice President, Content Security Services, at Barracuda Networks,  10/15/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Malwarebytes protects businesses against malicious threats that escape detection by traditional antivirus solutions. Malwarebytes Anti-Malware, the companys flagship product, has a highly advanced heuristic detection engine that has removed more than five billion malicious threats from computers worldwide. SMBs and enterprise businesses worldwide trust Malwarebytes to protect their data. Founded in 2008, the company is headquartered in California with offices in Europe, and a global team of researchers and experts. For more information, please visit us at www.malwarebytes.com/business.
Featured Writers
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.