Updated Locky Ransomware Crippling Left-Over Windows XP Systems

Here's a brief recap of what's happened in the top tier of the ransomware landscape over the last half a year or so. After dominating the industry for quite a while, Locky went on a long vacation in December 2016 and stayed under the radar for a few months. Cerber became the Number 1 ransomware family when it comes to widespread distribution, and although smaller strains like Spora and Shade tried to put up a fight, they had no chance. In April, Locky reared its ugly head once again, but the burst of spam turned out to be more of a cameo reappearance than a back-with-a-bang return.

In May, Jaff, initially considered to be the rightful successor of Locky, popped up and infected quite a few people in a matter of hours, but its timing was awful. Twenty-four hours later, the WannaCry outbreak crippled hundreds of thousands of computers around the world and showed everybody how ransomware works. Thankfully, MalwareTech was on the case, and after activating a kill switch, he single-handedly put an abrupt end to what is surely one of the biggest malware outbursts the world has ever seen. Over the following weeks, the security experts managed to crack Jaff's encryption, and Cerber continued its reign, with countless other families battling it out for a piece of the pie.

It sounds like a convoluted plot for a long-running soap opera. And like a long-running soap opera, there seems to be no end in sight. Yesterday, for example, Locky came back once again, accompanied by the love of its life, the Necurs spam botnet.

Talos Intelligence researchers spotted the emails which, at one point, peaked at more than 7% of all the spam volume detected on one of their systems. The blasts subsided as the day went on, but the experts noted that Necurs is still pushing Locky-laced emails in smaller numbers. There's nothing groundbreaking about the emails themselves.

Ransomware Creators Heavily Rely On Social Engineering Techniques

Using social engineering, the crooks try to trick potential victims into thinking that they are receiving an invoice or a payment slip that is attached to the message. The ransomware hasn't been completely overhauled, either.

Although Talos' blog doesn't go into too many technical details, the researchers said nothing about changes to the encryption mechanism, and they pointed out that the Domain Generation Algorithm (DGA) is the same as the one seen back in April. The extension appended to encrypted files is still .loptr (Loptr is an alternative name of the Loki god from the Norse mythology). That said, the Locky crooks have made a few updates. Curiously enough, some of the said updates have actually made the ransomware less powerful.

For one, a couple of months ago, Locky used a clever combination of a macro-laced Word document embedded inside a PDF whereas right now, it comes as an EXE file put inside two ZIP archives. The executable is much more likely to raise suspicion among moderately tech-savvy users.

Locky Ransomware Evolves To Dig Up The Past

Locky's authors did add an anti-debugging feature which made analysis harder, but Talos' researchers were able to get around it with relative ease. When they tried to run the samples on a Windows XP machine, they worked, but when they launched them on a Windows 7 PC, the ransomware failed to deploy. Talos' experts reckon that this is due to Windows' Data Execution Protection (DEP), a security feature Microsoft introduced in Vista. In theory, if the version of your Windows isn't ancient (let's not forget that Vista was launched some ten years ago), you should be protected from this particular variant of Locky. If not, you've only got yourself to blame for running a system that's way past its shelf life.

Talos noted that the crooks were most likely in a hurry to push out the ransomware's new version which, unsurprisingly, led to mistakes. The errors might be fixed in the releases to come, and Locky might soon work on more modern machines. We'll see what happens in the next episode of the ransomware saga.