FireEye Labs is detecting a significant spike in Locky ransomware downloaders due to a pair of concurrent email spam campaigns impacting users in over 50 countries. Some of the top affected countries are depicted in Figure 1.
Figure 1. Affected countries
As seen in Figure 2, the steep spike starts on March 21, 2016, where Locky is running campaigns that coincide with the new Dridex campaigns that were discussed in the blog, “Stop Scanning My Macro”.
Figure 2. Detection on spam delivered malware
Prior to Locky’s emergence in February 2016, Dridex was known to be responsible for a relatively higher volume of email spam campaigns. However, as shown in Figure 3, we can see that Locky is catching up with Dridex’s spam activities. This is especially true for this week, as we are seeing more Locky-related spam themes than Dridex. On top of that, we also are seeing Dridex and Locky running campaigns on the same day, which resulted in an abnormal detection spike.
Figure 3. Dridex versus Locky spam campaign over time
The new Locky spam campaign uses several themes such as “invoice notice”, “attached image”, and “attached document themes”. See Figure 4 and Figure 5 for example campaign emails.
Figure 4. Urgent Invoice Campaign
Figure 5. Other Campaigns
Figure 6. Zipped Content
Figure 7. Locky Downloader Mechanism
The volume of Locky ransomware downloaders observed is increasing and it may potentially replace the Dridex downloader as the top spammer. One of the latest victims of Locky is Methodist Hospital, where the victim was reportedly forced to pay a ransom to retrieve their encrypted data. This suggests that the cybercriminals are earning more from ransomware and this drives their aggressive campaigns.
MD5 Sum: 3F118D0B888430AB9F58FC2589207988 (First seen on 2016-02-24 in VirusTotal)
Figure 9. HTTP POST request polling packet (general packet structure)
This sample contains a domain name generation algorithm that is based on the current month, day and year. There are eight possible domains per day and the domains change on the first of the month and on even numbered days. Figure 10 contains Python code to generate the eight possible domain names for the current date.
Figure 10. Locky Domain Generation Algorithm