Locky, one of the first and most resilient ‘mass distribution’ ransomware families has roared back after a brief break. Throughout August, Locky campaigns have filled our inboxes with fraudulent invoices that need paying, images that need opening, and voicemails that need listening. These recent campaigns are notable not only for their volume, but the multiple delivery methods within a single distribution run. On August 17, Locky arrived en masse with three different infection methods that all led to Locky’s Lukitus variant. While infection vectors frequently change from run to run, intra-campaign shuffling is extremely rare.
Our feed on the day of the run, all received within a second, all different, and all Locky
Locky – Macro’d in a Doc base
The first, and most fleshed out lure in this Locky run came in the form of a Microsoft Word document with malicious macros. The potential victim received a poorly worded email urging them to open the attachment to clear up “invoices outstanding.”
Figure 1: Screen shot of lure email
If opened, the victim finds a completely blank document and a request to enable macros. The macro then reaches out to a site hosting the second stage payload, downloads it, and executes on the victim’s machine.
Figure 2: VirusTotal detections of macro-dropped Locky executable
Locky – RAR Reduction
Next, in order of Lure complexity, the threat actors served up a VBS script compressed in a RAR file and attached to a short email, labeling it a “Voice Message.”
Figure 3: Body of lure email with attached RAR
The RAR, predictably, does not contain a voice message or even an audio file, but a Visual Basic script. When the script is opened it reaches out to an infected website hosting the second stage payload. In this case, Zilipendwaradio.org, a site which at one time would presumably broadcast Tanzanian Swahili language songs from the 60s and 70s.
Figure 4: Link to compromised website inside VB Script
This executable then completes the malicious encryption and leaves you with a computer filled with files ending in “.lukitus” and filled with gibberish.
Figure 5: VirusTotal detections of VBScript delivered executable
Figure 6: VirusTotal detections of JS delivered Locky
So three different lure email patterns, three different attachment types, and three different executables all lead to one screen.
Figure 7: Locky variant ‘Lukitus’ dropped ransom note
None of the three infection vectors were novel. In fact, zipped scripts and Office document macros are the most prevalent methods of email-based malicious payload delivery. There are several possible explanations for the unusual activity. The threat actors may have been experimenting with delivery methods to find what resulted in the most successful encryptions or using the multiple file types to overwhelm researchers and responders with indicators of compromise. Either way, this multiple method attack has not been repeated this month as Locky appears to have settled on compressed VBScripts as the preferred infection vector.
Interested in a deep-dive on ransomware? Watch the recorded webcast The Ransomware Explosion.