The Newest Delivery Method for the Locky Ransomware

Since its introduction in early 2016 and throughout this year, the distribution of the Locky ransomware has been overwhelmingly facilitated by attached script applications written in JScript or Visual Basic. These script applications have been delivered as the content of an attached archive such as a Zip or RAR file delivered as part of the email messages.

However, some of the most recent Locky distributions have begun delivering these archives as content provided by large numbers of URLs. This change marks a shift in the substance of Locky threat actors’ techniques and provides for them a number of advantages.

Phishing messages like those in Figure 1 are a good representation of how the distributors of Locky have rolled out this alternate delivery method. Using a personal touch, these messages feature a cheerful salutation and a wish that the recipient enjoys their upcoming weekend. Furthermore, the signature in each example uses a pseudorandom selection of a first name and surname combination to create a plausible persona for the sending party (redacted in the example below).

Figure 1 – Uncharacteristically cheerful Locky phishing messages were a hallmark of recent campaigns

Clicking any of the URLs in the emails like the one shown above will initiate an HTTP GET request to a simple PHP script. The script redirects the victim’s browser to another location from which an archive containing the JavaScript application that delivers Locky. This redirection creates a scenario in which the threat actor does not reveal the location of the malware delivery tool, but instead only reveals an intermediate step in the payload provision process.

Figure 2 – Simple PHP applications are tasked with redirecting victims to the payload provision URL

One interesting attribute of the infection URLs used in these messages was the threat actors’ adherence to a very specific pattern in their creation. Each one followed a format expressed by the regular expression \/w\/[0-9a-z]{4}\.php. While quite predictable, this format allows for 1,679,616 permutations of infection URL paths, presenting defenders with a volumetric challenge for mitigating each URL individually.

Locky infection URLs from Threat ID 9752
hxxp://konferencjaora[.]pl/w/523f.php
hxxp://autonikos[.]pl/w/6dty.php
hxxp://oxfordschoolkotputli[.]com/w/vait.php
hxxp://j3[.]rodolfogn[.]com/w/qn0b.php
hxxp://martinagebhardt[.]hu/w/uol4.php

Figure 3 – High-entropy paths make Locky infection URLs harder to recognize

Few other malware varieties have launched repeated attacks with the same tenacity and persistence as Locky ransomware. This prolific ransomware variety helped to mold the contemporary ransomware business model and continues, through small iterations and alterations, to pose a significant risk to individuals and enterprises. The use of these infection URLs represents another departure from the established tactics and techniques that have been most commonly used by the Locky threat actors. It also serves as an indication that the distributors of this ransomware are actively seeking new and different ways to deliver their malware tool.

Don’t become another statistic: PhishMe® is now FREE for small businesses under 500 employees. Learn more.

10 Ways to Defend Against Business Email Compromise / CEO Email Fraud Scams
Locky Ransomware Keeps Returning After Repeated Absences

Leave a Reply