The ransomware that drove last year’s boom in file-encrypting malware is back, and this time it’s even harder to detect.
Ransomware cost its victims some $1bn during 2016, with Locky one of the most widespread variants, infecting organisations across the globe.
However, the start of 2017 saw a sudden decline in the distribution of Locky, to such an extent that another form of ransomware — Cerber — has usurped Locky’s dominance.
But after being all but written off, Locky is staging a comeback. Cybersecurity researchers at Cisco Talos have observed a surge in emails distributing Locky, with over 35 thousand emails sent in just a few hours. This surge in distribution is being attributed to the Necurs botnet, which until recently focused on spamming pump-and-dump stockmarket scams.
This time, however, the Locky campaign is harnessing an infection technique associated with the Dridex botnet, in an effort to boost the chance of compromising targets.
As noted by cybersecurity researchers at PhishMe, this new form of Locky begins by using a familiar tactic — a phishing email with an attached file the message claims is a document detailing a payment or scanned documents. But rather than the more common practice of attaching a compromised Office document, an infected-PDF is sent instead.