When new instances of the widely distributed Locky ransomware began to dry up around the end of May 2016, security researchers were certain we had not seen the last of the file-encrypting malware variant.
Lo and behold, they were right.
Since June 19th security experts have observed millions of malicious email messages sent with an attachment containing a new variant of the Locky ransomware. The evolution appears to have made the malware vastly more dangerous, and are accompanied by an altered distribution tactic, spreading the infection further than previously seen.
It isn’t just the Locky ransomware worrying security researchers. There have already been other variants of Locky, and it appears distribution networks are ramping up “production” across the globe, with no particular targets in mind.
2016 has seen a slight shift in malware distribution. Internet users may only just be beginning to understand the extreme menace ransomware poses, but it has already begun to evolve, in order to remain under the radar for as long as possible.
“Malware evolution seems to be as rapid and cutthroat as any jungle environment, where survival and propagation go hand in hand. Authors have frequently co-opted functionality from different malware strains into the next generation of code — regularly sampling the efficacy and profitability of each generation.”
For example, when you attempt to run an unknown .exe file, you’ll encounter this warning:
Botnets and Spam Email
The vast majority of ransomware is sent via malicious emails, which in turn are sent in huge volumes through massive networks of infected computers, commonly referred to as a “botnet.”
The huge rise in Locky ransomware has been linked directly to the Necrus botnet, which saw an average of 50,000 IP addresses infected every 24 hours for several months. During observation (by Anubis Networks), infection rates remained steady, until March 28th when there was a huge surge, reaching 650,000 infections over a 24-hour period. Then, back to business as normal, albeit with a slowly dropping infection rate.
On June 1st, Necrus went quiet. Speculation as to why the botnet went quiet is slim, though much centered around the arrest of around 50 Russian hackers. However, the botnet resumed business later in the month (around the 19th June), sending the new Locky variant to millions of potential victims. You can see the current spread of the Necrus botnet in the above image – note how it avoids Russia?
The spam emails always contain an attachment, purporting to be an important document or archive sent from a trusted (but spoofed) account. Once the document is downloaded and accessed, it will automatically run an infected macro or other malicious script, and the encryption process begins.
Whether Locky, Dridex, CryptoLocker, or one of the myriad ransomware variants, spam email is still the choice delivery network for ransomware, plainly illustrating just how successful this method of delivery is.
New Challengers Appear: Bart and RAA
First up, the Bart infection leverages some pretty standard ransomware techniques, using a similar payment interface to Locky, and targeting a mainstream list of file extensions for encryption. However, there are a couple of key operational differences. While most ransomware need to dial home to a command and control server for the encryption green light, Bart has no such mechanism.
Instead, Brendan Griffin and Ronnie Tokazowski of Phishme believe Bart relies on a “distinct victim identifier to indicate to the threat actor what decryption key should be used to create the decryption application purported to be available to those victims who pay the ransom,” meaning even if the infected is rapidly disconnected from the Internet (before receiving the traditional command and control go-ahead), the ransomware will still encrypt the files.
There are two more things that sets Bart aside: its decryption asking price, and its specific choice of targets. It currently stands at 3BTC (bitcoin), which at the time of writing equates to just under $2000! As for a choice of targets, it is actually more who Bart doesn’t target. If Bart determines an installed user language of Russian, Ukrainian, or Belorussian, it will not deploy.
To add insult to injury, RAA also bundles well-known password stealing program Pony, just to make sure you’re really, really screwed.
First, you can disable macros from automatically running. A macro may contain code designed to automatically download and execute malware, without you realizing. I’ll show you how to do this in Microsoft Word 2016, but the process is relatively similar for all other Office programs.
Head to File > Options > Trust Centre > Trust Centre Settings. Under Macro Settings you have four options. I choose to Disable all macros with notification, so I can choose to run it if I am sure of the source. However, Microsoft advise selecting Disable all macros except digitally signed macros, in direct relation to the spread of the Locky ransomware.
Show Extensions, Use Different Program
This isn’t entirely foolproof, but the combination of the two changes will perhaps save you from double-clicking the wrong file.
First, you need to enable file extensions within Windows, which are hidden by default.
In Windows 10, open an Explorer window, and head to the View tab. Check File name extensions.
In Windows 7, 8, or 8.1, head to Control Panel > Appearance and Personalization > Folder Options. Under the View tab, scroll down the Advanced settings until you spot Hide extensions for known file types.
If you accidentally download a malicious file disguised as something else, you should be able to spot the file extension before execution.
Head to a .js file. If you don’t know where or how, enter *.js into the Windows Explorer search bar. Your window should populate with files akin to this:
Microsoft Outlook doesn’t let you receive files of certain type. This includes both .exe and .js, and is to stop you inadvertently introducing malware to your computer. However, that doesn’t mean they cannot and will not slip through both other means. There are three extremely easy ways ransomware can be repackaged:
- Using file compression: the malicious code can be archived, and is sent with a different file extension that doesn’t trigger Outlook’s integrated attachment blocking.
- Rename the file: we frequently encounter malicious code disguised as another file type. As most of the world uses some form of office suite, document formats are extremely popular.
- Using a shared server: this option is a little less likely, but malicious mail can be sent from a private FTP or secure SharePoint server if compromised. As the server would be whitelisted within Outlook, the attachment wouldn’t be picked up as malicious.
See here for a full list of which extensions Outlook blocks by default.
I’m not going to lie. There is an omnipresent threat of malware when you’re online — but you don’t have to succumb to the pressure. Consider the sites you’re visiting, the accounts you’re signing up to, and the emails you’re receiving. And even though we know it is difficult for antivirus software to maintain pace with the dazzling array of malware variants churned out, downloading and updating an antivirus suite should absolutely form part of your system defense.
Have you been hit by ransomware? Did you get your files back? Which ransomware was it? Let us know what happened to you!
Image Credits: Necrus botnet infection map via malwaretech.com, Bart decryption interface and Current infections by country both via phishme.com