Light Dark
April 6, 2016 By Larry Loeb 2 min read

The Locky ransomware has historically spread via malicious macros attached to spam emails. That method seems poised to change drastically.

First observed in mid-February, Locky needed only two weeks to become, according to SecurityWeek, the second most popular ransomware, accounting for 16.47 percent of all ransomware attacks. CryptoWall was the top ransomware with 83.45 percent of the total 18.6 million hits collected between Feb. 17 and Mar. 2.

Changes Emerge for the Locky Variant

Trustwave’s Rodel Mendrez reported that a massive spam campaign with 4 million messages was noticed in early March. It was being mounted by a Dridex botnet, sending up to 200,000 messages an hour.

The initial malware changed from an Office macro to a JavaScript attachment in an attempt to evade detection. Not only that, but the payload the malware downloaded from a command-and-control (C&C) server changed: The JavaScript-based malware was downloading the Locky ransomware.

Check Point Software noticed that things recently changed yet again. A new Locky variant showed a change in the communication patterns it used. Content-Type and User-Agent were included right after the POST header in requests to the C&C server. This means that the host relative position is no longer directly after the POST header.

It Doesn’t Stop There

Trustwave also found that another Locky variant was included in the Nuclear exploit kit (EK) with additional communication changes. After the downloader dropped by the EK sent a request to the C&C server, it responded with the Locky variant. This included a new method of getting the encryption keys from the C&C server.

Spreading the malware via both spam campaigns and EKs increased the odds of successful infections. The changes in communication and methods of encoding the downloader are being done to avoid signature-based detection methods.

Check Point researchers showed 10 different Locky downloader variants. Each tried to avoid detection by hiding the Locky payload in different file types. Meanwhile, the spam that contained the poisoned links would usually claim to be an invoice attachment.

There have been attempts to create a malware vaccine, but not opening unknown links in messages may be the most effective prevention available.

 |  |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from

January 30, 2025

When ransomware kills: Attacks on healthcare facilities

4 min read - As ransomware attacks continue to escalate, their toll is often measured in data loss and financial strain. But what about the loss of human life? Nowhere is the ransomware threat more acute than in the healthcare sector, where patients’ lives are literally on the line.Since 2015, there has been a staggering increase in ransomware attacks on healthcare facilities. And the impacts are severe: Diverted emergency services, delayed critical treatments and even fatalities. Meanwhile, the pledge some ransomware groups made during…

January 29, 2025

AI and cloud vulnerabilities aren’t the only threats facing CISOs today

6 min read - With cloud infrastructure and, more recently, artificial intelligence (AI) systems becoming prime targets for attackers, security leaders are laser-focused on defending these high-profile areas. They’re right to do so, too, as cyber criminals turn to new and emerging technologies to launch and scale ever more sophisticated attacks.However, this heightened attention to emerging threats makes it easy to overlook traditional attack vectors, such as human-driven social engineering and vulnerabilities in physical security.As adversaries exploit an ever-wider range of potential entry points…

January 28, 2025

4 trends in software supply chain security

4 min read - Some of the biggest and most infamous cyberattacks of the past decade were caused by a security breakdown in the software supply chain. SolarWinds was probably the most well-known, but it was not alone. Incidents against companies like Equifax and tools like MOVEit also wreaked havoc for organizations and customers whose sensitive information was compromised.Expect to see more software supply chain attacks moving forward. According to ReversingLabs' The State of Software Supply Chain Security 2024 study, attacks against the software…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature