Light Dark
April 6, 2016 By Larry Loeb 2 min read

The Locky ransomware has historically spread via malicious macros attached to spam emails. That method seems poised to change drastically.

First observed in mid-February, Locky needed only two weeks to become, according to SecurityWeek, the second most popular ransomware, accounting for 16.47 percent of all ransomware attacks. CryptoWall was the top ransomware with 83.45 percent of the total 18.6 million hits collected between Feb. 17 and Mar. 2.

Changes Emerge for the Locky Variant

Trustwave’s Rodel Mendrez reported that a massive spam campaign with 4 million messages was noticed in early March. It was being mounted by a Dridex botnet, sending up to 200,000 messages an hour.

The initial malware changed from an Office macro to a JavaScript attachment in an attempt to evade detection. Not only that, but the payload the malware downloaded from a command-and-control (C&C) server changed: The JavaScript-based malware was downloading the Locky ransomware.

Check Point Software noticed that things recently changed yet again. A new Locky variant showed a change in the communication patterns it used. Content-Type and User-Agent were included right after the POST header in requests to the C&C server. This means that the host relative position is no longer directly after the POST header.

It Doesn’t Stop There

Trustwave also found that another Locky variant was included in the Nuclear exploit kit (EK) with additional communication changes. After the downloader dropped by the EK sent a request to the C&C server, it responded with the Locky variant. This included a new method of getting the encryption keys from the C&C server.

Spreading the malware via both spam campaigns and EKs increased the odds of successful infections. The changes in communication and methods of encoding the downloader are being done to avoid signature-based detection methods.

Check Point researchers showed 10 different Locky downloader variants. Each tried to avoid detection by hiding the Locky payload in different file types. Meanwhile, the spam that contained the poisoned links would usually claim to be an invoice attachment.

There have been attempts to create a malware vaccine, but not opening unknown links in messages may be the most effective prevention available.

 |  |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from

December 23, 2024

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

November 22, 2024

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

November 21, 2024

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature