The latest system crippling ransomware deemed Locky has been working diligently in their pursuit to evade security controls and increase its infection rate and has successfully changed credentials of the ransomware’s code to support their mission.

This infamous family of ransomware was introduced roughly two months ago and has spread like wildfire with a rate of 4,000 new infections per hour, making Locky one of the largest ransomware threats today. While the ransomware has mainly been targeting users in France and Germany, it has been spotted in over 100 different countries worldwide. The group behind this ransomware epidemic is said to be Dridex since it has employed the same infection techniques and was distributed by the Dridex botnet.

Researchers recently found that Locky began showing code modification that prevented security researchers from monitoring its activities, leaving many to believe the latest Locky variant is much more efficient at evading detection.

Two months ago, Locky was found to be spreading by tricking users into opening a Word document sent o them through Microsoft 365 or through Outlook, disguising the attached file as a company invoice. Victims would then enable Macros which then downloaded a malicious executable that encrypted all files on the compromised system including the network.

But the ransomware is no longer being distributed through malicious macros in documents attached to spam emails. Instead, the attackers are using the Nuclear Exploit Kit to infect the user, making the infection process more efficient now that the ransomware will no longer be blocked by email or through security inspections. Researchers have also noted that the ransomware’s embedded configuration block is now obfuscated and put in a fake .reloc section at the file’s overlay. The configuration de-obfuscates in run-time, making this data completely volatile since it only exists in memory.

Another daunting change found in this new Locky variant is that the ransomware attempts to put a shadow copy of itself in a newly assigned memory area, allowing the malware to evade common sandboxes and memory detections.

This malware once saved its configuration data in a fixed registry key, but the new variant uses random registry keys to save unique computer ID, public-key, and payment text. In doing so, detection is no longer possible by only looking for the registry key, making the previous vaccine for the ransomware no longer effective. The new variant also employs changes in its communication patterns, including new HTTP headers and new behavior.

According to Check Point, the security industry’s rapid and effective reaction to the ransomware prevented the original variant from reaching its full potential. However, given the recent changes, the new variant could achieve a much higher infection rate than what we’ve seen so far.

Fighting against malicious malware variants has always been a daunting task for organizations, but that doesn’t make it an unmanageable task. Organizations adopting a layered approach to security and employing security solutions like File Integrity Monitoring, Change and Configuration Management, Continuous Compliance, System Hardening & Vulnerability Management and Breach Detection will be best protected from today’s ever-evolving threat landscape.  


Read this article on Security Week





The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)

[email protected]

United Kingdom

5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023

 [email protected]
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2024, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.