Malicious E-Mails Spreading the Malware Most is the Locky Ransomware

Malware-laced spam mails, which are being delivered in maximum volumes, contain Locky a well-known ransomware. The malware has overtaken Trojan Dridex as it profusely spreads through e-mails that have attachments containing a JavaScript payload. Relatively, the current Quarterly Threat Summary by Proofpoint a security company states that malware-laced e-mails increased 230% from the first quarter to second quarter of 2016. Such e-mail attacks reached the zenith via generation of several hundred million electronic mails every day. Of the spam mail outbreaks which contained malware-laced attachments, 69% carried the recent Locky which was during April-June, an increase from 24% during January-March this year.

It may be mentioned that Locky's first appearance was early January 2016 since when it has been constantly evolving. All this while the ransomware's payload though, has been the same i.e. a JavaScript implanted within a zipped archive and distributed through e-mail. The JavaScript consisted of a downloader that maliciously pulled down the Locky for execution.

According to Proofpoint, although the Locky spam was enormous, still attackers managed conducting extremely personalized e-mail attacks (usually sent to a select number of users), while maintaining to send Locky bulk e-mails. The attacks' volume and success have been increased with various strategies to bypass security detection. These strategies are obfuscation, document attachments and new loaders. Infosecurity-magazine.com posted this, July 26, 2016.

In the current Locky e-mail attack, the variant adds .zepto extension to every file it encrypts. As a result, the Locky ransomware wave is also being tracked as the Zepto ransom software.

Proofpoint further observed that Locky distribution was being done in some other forms as well without there being any changes to the ransomware itself. One such form is how DOCM files are used in place of DOCX or DOC to contaminate end-users through Word macros.

Furthermore, Proofpoint also observed how WSF filenames were getting used as the payload in Locky spam in place of JavaScript files although WSF files are just another method used for presenting and running JavaScript.

Incidentally according to Proofpoint's report, while the maximum malware-laced spam distributed Locky, the maximum exploit kit distribution involved another ransomware the CryptXXX.

» SPAMfighter News - 8/1/2016