Share this article on:
Locky ransomware was a major threat in 2016. The ransomware variant was used in numerous targeted attacks on hospitals last year. However, toward the end of 2016, activity started to dwindle. While Locky ransomware campaigns have been conducted in 2017, they have dropped down to next to nothing. The main ransomware threat now comes from Cerber. Cerber ransomware accounts for more than 90% of ransomware attacks in the United States.
However, Locky is far from dead and buried. It has simply been dormant. Now, it is back with a new major campaign. Late last week, researchers at Cisco Talos identified a new campaign involving more than 35,000 emails. Those emails were sent over a period of just a few hours using the Necurs botnet.
Locky appears to have changed little from other campaigns; however, the latest campaign does see a change to the delivery method. That change increases the likelihood of messages making it to end users inboxes and the malicious file attachments being opened.
Rather than use Word documents containing malicious macros, the latest campaign uses a different file format – PDF files. Each PDF file contains an embedded Word document. When the PDF file is opened, the user is asked to open the associated Word document. Opening the embedded Word document will not result in infection if macros are not enabled. The user will be advised that the content of the document is protected, and that macros must be enabled to view the content. Enabling macros will result in Locky being downloaded.
Various email templates are used in the latest Locky campaign. Some messages contain no body text, only an attached PDF file with various subject lines indicating the attached file is a receipt, payment confirmation, or invoice.
Other email templates used in the campaign have body text typically associated with scanned documents, with recipients told the attachment is a scanned document in PDF form.
Over the past few months, Word documents have been extensively used to distribute ransomware. Security awareness training often covers the use of Word documents containing macros, making users less likely to open Word documents if the sender is not recognized. The use of a different file format could result in more end users opening the emails as PDF files are more likely to be trusted.
This method of attack is also likely to bypass some sandboxes that do not allow user interaction. As Cisco Talos points out, this could result in more emails reaching end user’s inboxes. The more emails that get through, the greater the risk that some end users will open the attachments and infect their computers and networks.
Security officers should therefore consider sending an email bulletin to all staff warning of the risk of ransomware attacks involving PDF file attachments.