It seems that each time the information security community is ready to declare the Locky ransomware dead and gone, phishing threat actors launch new campaigns with new characteristics.
Locky’s presence on the threat landscape dates back to February 2016 when this malware formalized and matured the ransomware business model in phishing emails. Coupled with a tenacious distribution strategy, Locky dominated the phishing markets throughout 2016. Since early 2017, Locky’s presence on the threat landscape has been far more tepid. Its subdued presence on the threat landscape and intermittent distributions led to rumors that Locky was a thing of the past; many people were surprised when new Locky distributions took place. However, it is clear that despite a smaller degree of tenacity in deployment, the criminals using the Locky ransomware still see benefit from its use. And incremental changes in behavior indicate that these criminals are investing in future use, as well.
The most recent iterations of Locky distributions have replayed some of the simplest techniques for this malware’s distribution in phishing emails. The lures used in these phishing emails make vague references to document delivery, unpaid invoices, received voice mails, or receipts for payments, all examples of content used prolifically in the distribution of ransomware and other malware tools. Some standout examples demonstrate the compelling, yet vague messaging used to deliver this destructive malware.
Figure 1 – Locky phishing emails leverage vague, yet compelling narratives
While attackers continue to use similar phishing emails, the most recent Locky binaries demonstrate that small, incremental changes to the malware’s behavior are being implemented. These changes are mostly superficial but serve to break from expected norms in small ways. The first change, and likely the one to garner the most attention, was the use of two new file extensions applied to files encrypted by the ransomware. Previous iterations of Locky deployments have used extensions ranging from the sensible “.locky” to the more esoteric “.osiris”, “.odin”, and “.aesir” extensions.
In the past two weeks, two new, distinctive extensions have been used. The first, “.diablo6”, evokes a more intimidating ethos for the ransomware. Other samples use “.lukitus”, likely evoking the Finnish word for “locking.” Additionally, a more significant modification comes in the command and control callback resources leveraged by the ransomware to report new infections.
One of the simplest techniques for identifying a malware variety and its communications is to match suspicious traffic to known resource paths used by that malware. For many Locky samples in 2017, command and control resources could be identified by the presence of a “/checkupdate” callback URI path. However, this has also been replaced in recent samples that apply the “.lukitus” encrypted file extension by a “/imageload.cgi” resource path. For very tightly-tuned detection schemes, this change could result in the latter being categorized incorrectly because it represents a departure from the established norm for this malware.
|Locky “.diablo6” sample check-in URLs|
|Locky “.lukitis” sample check-in URLs|
Figure 2 – Small changes to command and control callback destination
Despite the numerous stories about Locky “comebacks,” each additional return to prominence serves as a reminder that the Locky ransomware and the business model it supports is a valuable monetary strategy for threat actors. As a result, it is unlikely that Locky will be fully unseated as a premier ransomware tool until a truly superior replacement emerges. Until then, it is imperative that network defenders and information security professionals continue to leverage intelligence on the behavior, techniques, and modifications exhibited by criminals deploying the Locky ransomware.