A ransome malware named LOCKY which is released in 2016 which is superbly active in 2017. It is delivered by an email which is allegedly an invoice requiring payment with an attached Microsoft word document that contains malicious macros.
If the user opens the document, it appears to be full of garbage, and t includes the phrase “Enable macro if data encoding is incorrect,” a social engineering technique. If the user does enable macros to save and run a binary file that downloads actual encryption Trojan, which encrypts all files that match particular extensions. Filenames are converted to a unique 16 letter and number combination with the locky file extension. Later the data is encrypted, and the website contains instructions that contain demand to pay 0.5 and one bitcoin which is equal to 500-1000 euros via a bitcoin exchange.
It was a revolutionary incident which brought ransomeware into the sight of all over the world, exactly a year before Wannacry outbreak.
In February 2016 it was an attack on the Southern California hospital, the Hollywood Presbyterian Medical Center. The hospital experienced a ransomware attack that crippled hospital services. It was an attack on the hospital like no other. The hospital center has been hacked. Its services were crippled as patients in the hospital were shifted to other hospitals. The hospital received a message to pay a ransom and get your systems back. So the hospital paid $17000 worth bitcoins to acquire the decryption key to restore its data.
“The quickest and more efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this,” Allen Stefanek, president of the Hollywood Presbyterian Medical Center said at the same time.
The hospitals have no other alternative other than paying up because the malware Locky went on to plague victims in the most of 2016.
By November,2016 it became one of the most common malware threats in the world in its own right. This particular strain of ransomware was so prolific.
But Locky disappeared in December,2016, prompting some cyber security researchers to suggest that those behind it went on a Christmas Break. It eventually re-emerged in January. Infections have been rising and dropping ever since.
For example after a months of zero activity, the king of ransomware was again back in August, 2016. It again attacked in a very big way which pushed a phishing emails containing Locky payload suddenly rushing inboxes. Not only that, but potential victims are targeted with new strains of locky – Diablo and Lukitus.
The question is why did this ransomware go so quiet in the first place??
But nobody knows what and who is exactly behind this locky is not found. The encryption of the experts which the researchers have been able to crack, found that, this is the work of highly professional group.
Like other software developer they are consistently working on their product unlike other forms of Ransomware. Locky isn’t available as-a-service for others to use. So it’s possible the campaigns go quiet as those behind on it work on their code or experiment with new tactics.
“The respite we saw from locky was just a planned pull-back on the attackers part. Like any organization, they need time to refine code and command-and-control infrastructure, plan new attack vectors, organize ransom payment collection methods and compile new lists of targets,” said Troy Gill, manager of security research at Appriver.
Each time Locky has briefly re-emerged before disappearing the course of this year. It has been doing something different suggesting that people behind it are experimenting.
For this case there is another example. A Locky spike in April saw the ransomware flirt with the new delivery technique by distributing it’s malware through infected PDFs instead office documents, a tactic associated with the Dridex malware botnet. By this it is clear that it can be implemented in any mode and become more successful.
“The timing of these come backs matches closely with the introduction of new attributes such as the most recent Diablo and Lukitus extensions for attached files and the use of new distribution techniques involving PDF documents and phishing links,” says Brendan Griffin, threat intelligence manager at PhishMe.
“These periods of locky absence are used as a chance to build upon their successes and find new, smarter ways to deliver their ransomware.”
Nercus Botnet – a zombie army of over five million hacked devices and the ransomware appears to go off the radar when the botnet is used for other activity. Locky is distributed through this Nercus Botnet. It is re-emerged following a period of inactivity in March with its power was harnessed to distribute email stock scams is an example for this case. The following months saw the continuation of malicious activity with nercus shifting to the distribution of Jaff Ransomware.
While less sophisticated than locky, researchers found that Locky and Jaff Ransomware are somewhere interrelated. Not only do the Jaff decryptor website and the locky decryptor website look identical, but like locky, ransomware will delete itself from the infected machine if the local language is Russian.
Not same as Locky researchers have been able to construct a new decryption tool for jaff. The distribution for this is declined since it was released in June.
Since then, the Nercus Botnet has returned to distributing Locky , which might indicate that they may experiment with other forms of cyber criminal activity, those behind Locky see it as reliable tool to fall back on – because it works on and fetches revenue.
“Locky is an incredibly powerful and well developed piece of ransomware,” says Adam Kujawa director of malware intelligence at malwarebytes. “At the end of the day bad guys want to make money and they can use whatever software they want that they can get in their hands on to make that happen.”
So while Locky is successful, those behind are opportunistic and constantly on the lookout for other means of making money and if that means dropping locky in favour of something else then so be it.
Now Locky is more successful because victims are still paying ransoms. The attackers would easily move onto something else. But, 18 months from the attack of the medical center the ransomware is still here successfully infiltrating the networks. It remains successful because it works and enough people get infected after being morphed by phising emails and enough organisations will give in and pay the ransom fee in order to reaccess their own systems because there is no decryption tool available.
Locky is successful because and returning eventually. So next time it appears to go silent not making any assumptions about the ransomware being dead. It is going offline but the people behind it are still working on it to make it more effective.