Locky Ransomware Spreading Out

UPDATE: Sept. 6: The BluVector Threat Team obtained the malicious Word Document from VirusTotal (.docx – md5: 97414e16331df438b2d7da0dad75a8d5) and ran it through BluVector. BluVector successfully identified it as malicious with a confidence of 0.99999.

What Is It?

A new variant of the Locky ransomware family was recently the payload in a large malicious spam campaign according to ZD Net, with estimates as high as 23 million emails sent within a 24-hour timeframe.

As is most often the case with ransomware, the initial infection vector enters a network via social engineering. In this case, a malicious Visual Basic Script (VBS) file within a zip file. If the VBS file is clicked on, it downloads the ransomware, which is currently asking 0.5 bitcoin as a ransom payment.

Another malicious payload being utilized by recent Locky ransomware is a malicious Word document. Unlike past attacks, this variant uses a macro that does not execute until the document is closed, which is likely an attempt by the attackers to evade automated and sandboxed analysis.

How does it propagate?

The malware is spread via large scale spam campaigns containing malicious attachments, requiring end users to be convinced to open them. This is the most common infection vector for ransomware. The malware does not contain any capability to self-propagate, as in the case of recent NotPetya and similar ransomware.

Does BluVector detect it?

The BluVector Threat Team obtained three malicious Word documents with the new Locky ransomware and ran them through BluVector’s machine learning detection. All three were identified as malicious.

Samples of the Word and PDF documents used by the so called “diablo6” and “lukitus” Locky variants (so named due to the file extension they place on encrypted files), and the associated Locky executable files were also detected by BluVector, as well as ClamAV.

BluVector has strong record of success in detecting new ransomware variants including Locky.

All Threat Reports