Locky ransomware is back, but we already protect against it

Posted: April 21, 2017 by Malwarebytes Labs
Last updated: April 25, 2017

In our Q1 2017 Tactics and Techniques report, we mentioned that the Locky ransomware had mysteriously vanished. Indeed, for a while, it completely disappeared and allowed for Cerber to take the number one spot as the most distributed piece of ransomware (and malware for that matter).

However, the group controlling the Necurs botnet has just opened the spam floodgates again and is pumping out fake documents that deliver the nasty Locky ransomware right before going into the weekend.

PDF to Word Macro

The ransomware is dropped following a distribution method we have been seeing more of recently with Dridex which involves embedding a Word document within a PDF file.

While this may seem like an unnecessary extra step, it actually allows to bypass sandboxes. Once the user clicks the OK button, the rogue Word document is displayed:

This last step requires a bit of social engineering to execute a malicious macro that will download the actual Locky ransomware.

Personal files are encrypted with the .osiris extension and the crooks are asking 0.5 Bitcoin ($623 at the time of writing) to recover them.

Protection

The attack relies on users opening up malicious attachments that will appear legitimate. Many studies have shown that users are often the weakest link in an attack chain and criminals know that too well.

Malwarebytes protects against this attack at various layers including macro and ransomware mitigation, and neither of those required any signature update.

COMMENTS

Jan Schelvis

Small problem is that at the moment Word and Excel 2016 won’t work with Malwarebytes exploits enabled for the Office 2016 programs. Both are crashing when browsing from within the programs and saving often won’t work. Fun for someone busy with her final Uni Papers.

With exploits for the office parts turned off there are no problems, but for the nice Locky and other stuff. I’ve seen a lot of them on an Exchange server.
Malwarebytes 3.06 and Office 2016 with al the updates and patches on 8 computers.
Think it started with the last Office updates.
Any Idea if and when this will be fixed? By either Malwarebytes of MS?
JanS
Jeannie

Why is Malware byes 3 for PC only???? :(((
James Platt

I have been hit twice with something from Microsoft, locks up the laptop with instructions to call a phone number…is usually preceeded by a notice of bad pool header and needs to shut down
Bob-oh

If it’s the same stuff I’ve gotten in the past a reboot will get rid of it.
Rich FSr

Why are these people not being found out? Doesn’t every computer have an IP address? Can’t these be traced back to the source?
Wendell Ratterree

I have been hit with lacky ware. Malwarebytes did not stop it. I didn’t pay, just lost files.
Bob Kittel

Not always can you reboot. Depends on the Malware. Some of them are easily dumped, the bad ones and you are toast.
esorm

I’ve had this on several occasions and always have been able to get rid of it through system restore (losing nothing). Initially I discovered that my screen was locked, not allowing me to get to system restore or even safe mode, but I could log off. If I logged back on I had the same problem. However, if I had a guest account on my computer I could log on with it and lockey was not there. I proceeded to system restore with no problems and no loss of data. I don’t know if there are safety issues related with “guest accounts” – as we seldom have guests I’m not concerned. Besides most guests use their smart phones.
John Tod

I have been hit with Ransomware several times but I have always been able to remove it. If you are curious how I do it (it does involve Malwarebytes free version) you can email me at furryface47 at gmail dot com.
dbaker27

Not recently- maybe due to Malwarebytes – but in the past I have been hit with the ransomware screen. I Immediately removed power from the computer / laptop off, without hitting any buttons whatsoever. I did not seem to suffer any ill effects; no residual affect of the virus. I think that if I had hit some button or control it would have implanted the problem. Am I fooling myself?
Heather June Wilhelm

i just got it a couple months ago. i just hold in the power button on the tower until it goes off. when i turn it back on its gone 🙂
Boso deniro

Why don’t we kill Locky and show everybody his body.
RandomCapeDude

They have a vpn which hides their ip and their ip is nowhere to be found
Rich FSr

My point. A VPN which hides an IP address should be outlawed internationally. Those creating this software should be treated as terrorists and punished as if they committed mass murder. Nothing less. It should be so severe that only an idiot like Little Fat Boy would be willing to try. In his case he would be declared a war criminal. The damage that these “hackers” and “virus” generators are wreaking is incomprehensible. People are losing their identities and have to spend thousands to regain it. People are losing their life savings or put in debt in the thousands which they have to reconcile since the creditors don’t give a ****. Governments have security being compromised. Seems like a no-brainer to me.
Spark

VPNs should defiantly NOT be outlawed. Like many things, although they can be used for bad, they are overall a very good service/technology. They also have many good uses beyond the side effect of hiding your IP address, such as a secure connection to your place of work. There are also many legitimate, non-illegal, reasons for hiding your IP address.

Regardless though, these criminals do not use VPNs, they use tor which is basically untraceable. Tor is not ran by anyone specifically. Instead it is a huge network of mostly private individuals routing around other people’s traffic for them. It only takes a few minutes to make your computer part of the world-wide tor network and no one can shut this down because it is not controlled by anyone.

If these criminals used only a VPN service they would all be located and arrested on day 1.
Amber Latham

Even with a VPN you can still trace it, if there’s a way in there’s a way out… Most mobile companies have the technology, funny how we can’t get through to them this should be a mandatory on cells and wifi at home, their lack of care is ******** and there needs to be a court willing to enforce such protection
Amber Latham

You can use other people’s IPs and lots do
Amber Latham

There are not enough IPs for everyone and if they didn’t change no one would have privacy, in fact every wifi you connect to is another IP

RELATED ARTICLES

Cybercrime | Malware

Intentional PE Corruption

April 30, 2012 - Malwarebytes Anti-Malware is under constant attack. 24 hours per day, 7 days per week, 365 days per year. If you read my recent blog post about the development of Malwarebytes Chameleon, you know that we at Malwarebytes have big red ‘X’s on our chests; the bad guys are always out to get us. Malwarebytes Anti-Malware...

CONTINUE READING 14 Comments

Cybercrime | Malware

The Cat-and-Mouse Game: The Story of Malwarebytes Chameleon

April 24, 2012 - The fight against malware is a cat-and-mouse game. It is constant and constantly escalating. They make a move, you counter it, they counter your counter, lather, rinse, repeat. What’s more: malware almost always has the advantage. Our software Malwarebytes Anti-Malware earned a reputation for having a high success rate in combating new in-the-wild malware infections:...

CONTINUE READING 7 Comments

Cybercrime | Hacking

Cybercrime at $12.5 Billion: The Great Underreported Threat

May 7, 2012 - From the outside looking in, it may appear that the press regularly reports stories when a company’s website, database or intellectual property has been hacked, stolen or compromised. The more eye-opening fact of the matter is that the scale and scope of the cybercrime problem is much, much larger and the actual incidences of these...

CONTINUE READING 2 Comments

Cybercrime | Hacking

DDOS, Botnets and Worms…Oh My!

May 14, 2012 - The recent attack on the Serious Organized Crime Agency (SOCA), most likely in response to the 36 data selling sites shut down a few weeks ago, lead to the admission by high ranking SOCA officials that the Ministry of Defense networks need to “beef up their security.” In response to this we would like to...

CONTINUE READING 1 Comment

Cybercrime | Exploits

“The Sky is Falling… Are You at Risk from the Flame Malware?”

June 1, 2012 - The last time I checked with Google News this morning there were over 19,100,000 results for “flame malware”. You may have heard many stories this week about this complex trojan. Here are links to three of my current personal favorite articles on “Flame”. Powerful ‘Flame’ cyberweapon tied to popular Angry Birds game – (Fox News)...

CONTINUE READING 3 Comments

ABOUT THE AUTHOR

Malwarebytes Labs

CATEGORIES

101 Cybercrime Malwarebytes news PUP Security world

SEARCH LABS

TOP POSTS