Ransomware Now Part Of Massive Spam Attack

Researchers are tracking a massive spam campaign pelting inboxes with Locky ransomware downloaders in the form of JavaScript attachments. The huge spike, reported by security firm Trustwave, represents an extraordinary uptick in the attempted distribution of the Locky ransomware.

Trustwave said over the last seven days, malware-laced spam has represented 18 percent of total spam collected in its honeypots. Trustwave said malware-infected spam typically represent less than 2 percent of total spam. The recent increase to 18 percent is almost entirely traced to ransomware JavaScript downloaders. Campaigns aren’t continuous, Trustwave reported, but are delivered in hour-long bursts.

Related Posts IRS Warns Tax-Related Phishing, Malware Surging February 23, 2016 , 8:00 am Critical Yahoo Mail Flaw Patched, $10K Bounty Paid January 19, 2016 , 10:02 am Researchers Discover Two New Strains of POS Malware November 13, 2015 , 9:30 am The intense spam campaigns signal a new attack strategy for those behind Locky ransomware. The threat vector, which is through spam email, is not new at all. “The sheer volume and high influx of Locky ransomware spam over the past weeks is what makes it noteworthy,” said Rodel Mendrez, a security researcher with Trustwave, in an email exchange with Threatpost.

The campaigns, Trustwave said, are originating from the same botnet responsible forazerbaijani-hackers-defac-nato-armenia-and-embassy-domains-4 previously spammed documents with malicious macros which downloaded the Dridex banking trojan.

“The actors behind the campaigns have merely changed the delivery mechanism (.js attachment) and the end malware – ransomware,” wrote Mendrez in a security bulletin posted to the company’s SpiderLabs research blog. “It’s the same botnet, different day, and different payload,” Mendrez wrote.

In the case of the Dridex banking malware, victims received an email attachment disguised as an invoice but was actually a document-based macro attack.

This most recent Locky ransomware spam campaign includes a JavaScript attachment that downloads Locky ransomware. There is no vulnerability that Locky is taking advantage of, Mendrez said. “It uses social engineering and takes advantage of human gullibility to infect systems. Even the up-to-date systems are not protected,” he said.

Trustwave said the typical spam message includes an invoice-related subject line. If the recipient downloads and attempts to open the JavaScript attachment, the Locky ransomware looks for list of file extensions on the PC’s hard drive and encrypts associated documents. Ransom notes are dropped in every encrypted file’s folder and the desktop background is also replaced with a ransom note image. “All of your files are encrypted with RSA-2048 and AES-128 ciphers. Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server”

A unique webpage is generated for each victim that can only be accessed through Tor anonymous browser, Trustwave reports. This page contains a bitcoin payment setup where the victim could pay for a decrypter tool.

Trustwave recommends admin bolster their spam defenses by blocking the Locky spam attacks at the email gateway by filtering out inbound email with .js attachments and Office documents with macros.

See more at: Locky Ransomware Spreading in Massive Spam Attack https://wp.me/p3AjUX-umH

by March 10, 2016 , 5:29 pm


Full article:

Attack | Threatpost | The First Stop For Security News

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.