A new crypto-ransomware type was recently discovered using an uncommon distribution method. Dubbed as “Locky”, the ransomware variant infiltrates system through a malicious macro found in a Word document. While ransomware that relies on macros have been rarely seen, the distribution technique could be linked the notorious banking malware DRIDEX, which uses similar methods.
Locky gets into victims' systems through email masquerading as an invoice with a corresponding attached Word document that's laced with malicious macros. According to researchers, the subject line of the email reads: ATTN: Invoice J-98223146 with a message that says, "Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice."
Given its dangerous nature, macros are disabled by Microsoft by default. Enabling macros, as their security bulletin notes, “makes your computer vulnerable to potentially malicious code and is not recommended.” When macros are enabled and the downloaded document is opened, the installation of the malware begins. Otherwise, the unknowing victim will see lines of incomprehensible text that advises users to “Enable macro if the data encoding is incorrect”.
Locky's malware executable file is downloaded from a web server. Once installed, it begins looking for attached drives (including networked drives) and encrypts files such as documents, images, music, videos, archives, database, and other web application-related files. Encrypted files will be renamed and appended with a “.locky” extension. Much like other ransomware variants, a ransom note in varying languages is left in every directory that has been encrypted. The message directs victims to a Tor network to make payment in Bitcoins (0.5 BTC).
Researchers at Palo Alto Networks have recorded 446,000 sessions involving this new ransomware, over half of which (54%) were detected to have affected victims in the United States. Trend Micro detects this ransomware variant as RANSOM_LOCKY.A . In addition to the United States, it is seen globally, including in countries as Japan, Germany, France, Italy, United Kingdom, Mexico, Spain, Israel, and India.
Closer analysis by our researchers also shows that aside from having the same macro downloaders, there appears to be similarities on how the DRIDEX and Locky macro downloaders are coded. Both use the same file name (ladybi.exe) when dropped to the system.
Further, our researchers have come across a link between Locky and other crypto-ransomware variants. Locky, CRYPTESLA, and CRILOCK are packed by the same packer. This could either mean that this tool is used by the same distributor, or that this packer is readily-available and accessible to different ransomware authors.
Ransomware infections remain a crippling and highly effective attack form used to extort huge profits from their targeted victims. One of the most notable incidents involves a highly publicized ransomware attack that paralyzed the systems and networks of the Hollywood Presbyterian Medical Center for more than a week. The hospital's administration later admitted to paying the ransom of 40 Bitcoins, or $17,000, to restore the affected systems. Earlier reports pegged the ransom at $3.6 million, which HPMC later corrected in an official memo.