Something is changed once again last week when a new campaign was observed spreading the Locky binary directly, its code in fact was embedded into scripts.
The security experts from CYREN firm revealed that the new spam campaign leverages on malicious emails using subject line “Invoice” and the same filename format for the attachments used in previous Locky attacks.
“It also shows the use of numerous variables containing chunks of strings, which are concatenated at runtime to build needed strings like ActiveXObject names and methods.”
The encrypted Locky ransomware binary is stored in a set of large arrays, at runtime is it decrypted and saved to disk. When the ransomware binary is decrypted it is possible to notice a significant surge in CPU usage from wscript.exe.
In previous campaigns, the experts only noticed the use of scripts as a container for the downloader, instead the malicious code itself.
When the ransomware encrypts files, it appends the .zepto file extension, the IT Security expert Antonio Cocomazzi analyzed for SecurityAffairs a past variant with similar features.
“There have been other reports identifying this Locky ransomware variant as Zepto Ransomware, however, upon close inspection of the malware body, we found that there were just a few changes in the Locky code showing the change in file extension used. CYREN detects the dropped ransomware components as W32/Locky.AN.gen!Eldorado.” states the analysis published by CYREN.
When the encryption process has been completed, Locky replaces the desktop background image with the ransom note and opens the ransom instructions page. Also in this case victims are provided Tor links to the payment of the ransom.
When dealing with ransomware it is important to follow a few suggestions also shared by the ‘NO More Ransom’ initiative launched by the Europol and a number of IT security firms.
(Security Affairs – Locky Ransomware, Zepto ransomware)