The latest system crippling ransomware deemed Locky has been working diligently in their pursuit to evade security controls and increase its infection rate and has successfully changed credentials of the ransomware’s code to support their mission.
This infamous family of ransomware was introduced roughly two months ago and has spread like wildfire with a rate of 4,000 new infections per hour, making Locky one of the largest ransomware threats today. While the ransomware has mainly been targeting users in France and Germany, it has been spotted in over 100 different countries worldwide. The group behind this ransomware epidemic is said to be Dridex since it has employed the same infection techniques and was distributed by the Dridex botnet.
Researchers recently found that Locky began showing code modification that prevented security researchers from monitoring its activities, leaving many to believe the latest Locky variant is much more efficient at evading detection.
Two months ago, Locky was found to be spreading by tricking users into opening a Word document sent o them through Microsoft 365 or through Outlook, disguising the attached file as a company invoice. Victims would then enable Macros which then downloaded a malicious executable that encrypted all files on the compromised system including the network.
But the ransomware is no longer being distributed through malicious macros in documents attached to spam emails. Instead, the attackers are using the Nuclear Exploit Kit to infect the user, making the infection process more efficient now that the ransomware will no longer be blocked by email or through security inspections. Researchers have also noted that the ransomware’s embedded configuration block is now obfuscated and put in a fake .reloc section at the file’s overlay. The configuration de-obfuscates in run-time, making this data completely volatile since it only exists in memory.
Another daunting change found in this new Locky variant is that the ransomware attempts to put a shadow copy of itself in a newly assigned memory area, allowing the malware to evade common sandboxes and memory detections.
This malware once saved its configuration data in a fixed registry key, but the new variant uses random registry keys to save unique computer ID, public-key, and payment text. In doing so, detection is no longer possible by only looking for the registry key, making the previous vaccine for the ransomware no longer effective. The new variant also employs changes in its communication patterns, including new HTTP headers and new behavior.
According to Check Point, the security industry’s rapid and effective reaction to the ransomware prevented the original variant from reaching its full potential. However, given the recent changes, the new variant could achieve a much higher infection rate than what we’ve seen so far.
Fighting against malicious malware variants has always been a daunting task for organizations, but that doesn’t make it an unmanageable task. Organizations adopting a layered approach to security and employing security solutions like File Integrity Monitoring, Change and Configuration Management, Continuous Compliance, System Hardening & Vulnerability Management and Breach Detection will be best protected from today’s ever-evolving threat landscape.