The latest system crippling ransomware deemed Locky has been working diligently in their pursuit to evade security controls and increase its infection rate and has successfully changed credentials of the ransomware’s code to support their mission.

This infamous family of ransomware was introduced roughly two months ago and has spread like wildfire with a rate of 4,000 new infections per hour, making Locky one of the largest ransomware threats today. While the ransomware has mainly been targeting users in France and Germany, it has been spotted in over 100 different countries worldwide. The group behind this ransomware epidemic is said to be Dridex since it has employed the same infection techniques and was distributed by the Dridex botnet.

Researchers recently found that Locky began showing code modification that prevented security researchers from monitoring its activities, leaving many to believe the latest Locky variant is much more efficient at evading detection.

Two months ago, Locky was found to be spreading by tricking users into opening a Word document sent o them through Microsoft 365 or through Outlook, disguising the attached file as a company invoice. Victims would then enable Macros which then downloaded a malicious executable that encrypted all files on the compromised system including the network.

But the ransomware is no longer being distributed through malicious macros in documents attached to spam emails. Instead, the attackers are using the Nuclear Exploit Kit to infect the user, making the infection process more efficient now that the ransomware will no longer be blocked by email or through security inspections. Researchers have also noted that the ransomware’s embedded configuration block is now obfuscated and put in a fake .reloc section at the file’s overlay. The configuration de-obfuscates in run-time, making this data completely volatile since it only exists in memory.

Another daunting change found in this new Locky variant is that the ransomware attempts to put a shadow copy of itself in a newly assigned memory area, allowing the malware to evade common sandboxes and memory detections.

This malware once saved its configuration data in a fixed registry key, but the new variant uses random registry keys to save unique computer ID, public-key, and payment text. In doing so, detection is no longer possible by only looking for the registry key, making the previous vaccine for the ransomware no longer effective. The new variant also employs changes in its communication patterns, including new HTTP headers and new behavior.

According to Check Point, the security industry’s rapid and effective reaction to the ransomware prevented the original variant from reaching its full potential. However, given the recent changes, the new variant could achieve a much higher infection rate than what we’ve seen so far.

Fighting against malicious malware variants has always been a daunting task for organizations, but that doesn’t make it an unmanageable task. Organizations adopting a layered approach to security and employing security solutions like File Integrity Monitoring, Change and Configuration Management, Continuous Compliance, System Hardening & Vulnerability Management and Breach Detection will be best protected from today’s ever-evolving threat landscape.  


Read this article on Security Week





NNT Suite of Products

change tracker gen7r2 logo

Combine industry leading Device Hardening, File Integrity Monitoring, Change Control, Configuration Management & Compliance Management into one easy to use solution that can scale to the most demanding environments!

fastcloud logo

Automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology) Integrity Assurance.

log tracker logo logo

Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds.

vulnerability tracker logo

Continuously scan and identify vulnerabilities with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

USA Offices
New Net Technologies LLC
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
1175 Peachtree St NE
Atlanta, Georgia, 30361.
4145 SW Watson, Suite 350
Beaverton, Oregon, 97005.

Tel: (844) 898-8358
email [email protected]
UK Office
New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire

Tel: 01582 287310
email [email protected]
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified
Copyright 2019, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.