The most recent Locky campaign uses a different tactic to complete infection. Earlier Locky campaigns have used malicious Word macros connected to spam emails. If the email attachment is clicked on, end users are asked to allow macros to view the content of the document. Enabling macros will allow a script to run that install the payload. For the latest campaign, spam emails are used to send PDF files.
The change in infection tactic can be easily accounted for. In recent months, Word macros have been extensively used to infect end users with ransomware. Awareness of the danger of Word macros has been widely reported and firms have been warning their staff about malicious Word documents including macros.
If an end user is tricked into clicking on an email attachment that asks them to enable macros, they are now more likely to close the document and report it. To increase the probability of the end user taking the action they are hoping for the authors have made an amendment. Macros are still involved, but at a later point in the infection process.
The emails include little in the way of text, but inform the recipient that the PDF file includes a scanned image or document, a purchase order, or a receipt. PDF files are more trusted and are more likely to be clicked on. Opening the PDF file will see the user prompted to permit the PDF reader to install an additional file. The second file is a Word document including a macro that the end user will be prompted to allow.
The rest of the infection process goes ahead in a similar fashion to earlier Locky ransomware attacks. Allowing the macros will see a Dridex payload installed which will then install Locky. Locky will proceed to encrypt a similarly wide variety of file types on the infected computer, connected storage devices and mapped network drives.
The ransom payment asked for is 1 Bitcoin – currently around $1,200. This is considerably greater that the ransom payments demanded when Locky first arrived on the scene just over 12 months ago.
One slight amendment for this campaign is the user is asked to download the Tor browser in order to visit the payment site. This change is though to be due to Tor proxy services being restricted.
Adding the additional step in the infection process is expected to lead to more infections. Many users who would not open a Word attachment may be tricked into opening the PDF.
Companies should raise the alarm and send out warning emails to employees alerting them to the new campaign and advising them to be suspicious of PDF files in emails.
