Huge wave of Locky Ransomware spread via Javascript spam (Feb 19th, 2016)

dcdataPublic, Uncategorized

The Dell Sonicwall Threats Research team have come across a new ransomware family called Locky. Ransomware is still on the rise and is showing no signs of stopping anytime soon. As predicted, the Dell Sonicwall Threats Research Team have seen an increase in new ransomware malware families and ransomware targeted at large corporations. It has even made recent headline news with the story of US hospital having to pay up $17,000 in bitcoins in order to recover critical files. our analysts identified the malicious executable as being associated with ransomware as a service (RaaS). Threat actors can configure these types of executables to encrypt various files found on an infected system. The RaaS provider then takes a portion of the ransom paid by victims as payment. Ransomware is an increasingly lucrative business and the Locky variant is yet another malware family trying to cash in on a growing criminal market.

Infection Cycle:

The Trojan is spread via email spam using a javascript attachment. The scripts are polymorphic. Each copy [Detected as GAV: JS.Camelot.A (Trojan)] is uniquely obfuscated using words from the english dictionary:

The script downloads the Locky ransomware executable file and runs it:

The Locky Trojan executable file uses the following icon:

The Trojan makes the following DNS queries:

 

Full story