The ransomware threat has significantly grown over time. Each day, a new variant gets added to the ransomware family. Malware are usually delivered through exploit kits and spam emails. Speaking of spam emails, they are either loaded with malicious document files installing the malware or malware directly inside a ZIP file.
Cyber criminals continue to use different ways to infect users with ransomware. We have recently come across a ransomware that uses a new technique for delivery. In this technique, a spam email is sent to the target, containing a malicious script file responsible for downloading and installing the ransomware. The use of script file as a downloader component is quite new.
In this report, we will understand how script files are used by Locky Ransomware for delivering payload and how attackers were able to improve this technique.
Download the PDF for the technical analysis
Ransomware is becoming a serious threat to individuals and businesses alike. The Locky Ransomware stands out from other ransomware as its creators have shown aggression and innovation in their campaigns.
The key to fighting ransomware attacks is preventing its infection
• Never open or do not respond to emails sent by unknown, unwanted or unexpected sources.
• If an email seems to have been sent by a familiar source and carries a sense of urgency, verify the content of the email with the sender. Most scam emails are made to sound important or urgent so that you get tricked into taking an action like clicking on a link or downloading an attachment.
• Do not click on links or download attachments in emails that ask for your personal/ financial information.
• Apply all recommended security updates for your Operating System, programs like Adobe, Java, Internet Browsers, etc. These updates fix security weaknesses in these programs and prevent malware from exploiting them.
• Make sure that your antivirus software is up-to-date and blocks phishing emails and phishing websites.
• Take regular backups of your files. Remember to disconnect the Internet when you are backing up on a hard drive. Unplug the drive before you go online again.
Quick Heal proactively detects and blocks the Locky script variant as “JS.Locky.**/JS.Nemucod.**” and PE component as “Ransomware.Locky.**” and “Ransom.Locky.** ”.
Subject Matter Expert (Analyst)
- Indrajeet Kavitake (Quick Heal Threat Research & Response Team)