Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
4/26/2017
09:00 AM
Connect Directly
Twitter
RSS
50%
50%

Locky Returns with a New (Borrowed) Distribution Method

A layered defense is a strong security posture for dealing with a threat like Locky, that can come in different disguises.

In our Q1 2017 Tactics and Techniques report, Cerber beat all the competition by a wide margin and achieved the top position as the most distributed ransomware via spam and drive-by downloads.

This happened while Locky mysteriously disappeared, in part because of a slow down with the Necurs botnet. But just like that, it is back in full swing thanks to the botnet’s wide scale distribution.

The first samples that came through were malicious PDF files used as a springboard to launch the now all too famous Word macros. Why insert an additional step into the attack chain? It seems threat actors have users just where they want and have mastered the art of social engineering to the point where one or two additional tasks are not a problem. 

Yet, for defenders these little changes can create issues, especially when automating the analysis of spam via sandboxes. Also, was it pure coincidence that the Necurs spam run was launched just before the weekend? 

Necurs is a resilient botnet which has distributed a variety of payloads over the years, from banking Trojans to ransomware. More recently it even did non-malware spam with pump-and-dump scams. Takedowns have only slowed down the botnet operators who can count on their malware to remain buried deep into systems, and avoid detection from major antivirus scanners.

Now that Locky is back, there is no doubt it will slowly climb back up to take the market shares that were once his. At 0.5 BTC ($623) a pop, the crooks are bound to make enough money to reinvest in the distribution channels and keep the wheel moving.

The best protection against ransomware is by performing backups on a regular basis so that in times of trouble, you can roll back your systems to a previous clean state and recover your data. However, backups are not always done regularly - if at all - or perhaps without due precautions, for example, leaving a plugged USB storage that gets infected.

IT admins will want to watch for various file types coming as attachments and, most importantly, to establish global group policies that disable certain risky features in Office (i.e. macros, OLE objects) that prevent social engineered users from making bad choices.

Locky - like any other malware - can also be mitigated in different ways, for example by blocking access to its command and control center, or simply based on its encrypting behavior. A layered defense is a strong security posture to deal with a threat that can come in different disguises.

Read the full digest on Malwarebytes Labs here.

Jérôme Segura is a senior security researcher at Malwarebytes Labs where his duties range fromstudying web exploits to tracking down online scammers. He spent over five years cleaning malware offpersonal computers using existing tools and writing his own ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Containerized Apps: An 8-Point Security Checklist
Jai Vijayan, Freelance writer,  6/14/2018
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Malwarebytes protects businesses against malicious threats that escape detection by traditional antivirus solutions. Malwarebytes Anti-Malware, the companys flagship product, has a highly advanced heuristic detection engine that has removed more than five billion malicious threats from computers worldwide. SMBs and enterprise businesses worldwide trust Malwarebytes to protect their data. Founded in 2008, the company is headquartered in California with offices in Europe, and a global team of researchers and experts. For more information, please visit us at www.malwarebytes.com/business.
Featured Writers
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-0291
PUBLISHED: 2018-06-20
A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco NX-OS Software could allow an authenticated, remote attacker to cause the SNMP application on an affected device to restart unexpectedly. The vulnerability is due to improper validation of SNMP protocol ...
CVE-2018-0292
PUBLISHED: 2018-06-20
A vulnerability in the Internet Group Management Protocol (IGMP) Snooping feature of Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code and gain full control of an affected system. The attacker could also cause an affected system to reload, resulting in ...
CVE-2018-0293
PUBLISHED: 2018-06-20
A vulnerability in role-based access control (RBAC) for Cisco NX-OS Software could allow an authenticated, remote attacker to execute CLI commands that should be restricted for a nonadministrative user. The attacker would have to possess valid user credentials for the device. The vulnerability is du...
CVE-2018-0294
PUBLISHED: 2018-06-20
A vulnerability in the write-erase feature of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to configure an unauthorized administrator account for an affected device. The vulnerability exists because the affected software does not properly delete sensitive...
CVE-2018-0295
PUBLISHED: 2018-06-20
A vulnerability in the Border Gateway Protocol (BGP) implementation of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the device unexpectedly reloading. The vulnerability is due to incomplete input validation of the BGP update...