Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Threat Actors Send Massive Spam Emails Distributing Locky Ransomware

    • Updated:
    • 25 Sep 2017
    • Product/Version:
    • Control Manager All.All
    • Deep Discovery Analyzer All.All
    • Deep Discovery Email Inspector All.All
    • Deep Discovery Inspector All.All
    • Deep Security All.All
    • Endpoint Application Control All.All
    • Hosted Email Security All.All
    • InterScan Messaging Security Suite All.All
    • InterScan Messaging Security Virtual Appliance All.All
    • InterScan Web Security Suite All.All
    • InterScan Web Security Virtual Appliance All.All
    • Worry-Free Business Security Services All.All
    • Worry-Free Business Security Standard/Advanced All.All
    • Platform:
    • N/A N/A
Summary

THREAT INFORMATION

Trend Micro has observed recently that threat actors have been sending massive spam emails distributing Locky Ransomware. The cybercriminals behind this email campaign appear to be using social engineering tactics to entice users into opening a file attachment, which in turn downloads the Locky ransomware and encrypts users’ data.

Encrypted Data

Encrypted Data Files by the recent Locky Ransomware Campaign

Locky Ransomnotes

Locky Ransomnotes

ARRIVAL AND INSTALLATION

The infection chain of this ransomware campaign starts with a socially-engineered email. Threat actors send social engineered email bundled with a spoofed “Herbalife” brand, an email that impersonates a “copier” file delivery or an email with subject line of “Emailing - (name of attachment)”. All of the affected emails contain an archive (7zip, rar, zip) which has an embedded VBscript file. When executed, the script connects to command and control (C&C) servers to download the Locky Ransomware, which then encrypts the users’ data locally as well as the files on network shares. It has also been observed recently that “Fake voicemail email notifications” are being used by this ransomware campaign as well.

Locky Infection Chain

Locky Email Campaign Infection Chain

Sample spam mails used by Locky ransomware campaign:

Herbal Life Sample

Spoofed Herbal Life Brand Email

Copier Delivery Sample

Email that impersonates a “copier” file delivery

Emailing an attachment

Email with subject line “Emailing - (name of attachment)”.

Details
Public

PRODUCT SOLUTIONS

Messaging products such as Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) and ScanMail for Exchange (SMEX) can block spam mails related to this ransomware. They check for email reputation and web reputation of the embedded links, file attachments, as well as macros in MS Office documents.

 
All related samples are detected by AS Full Pattern 3342.

Instructions on how to enable Ransomware Protection Feature for IMSS and IMSVA:

Enabling the Ransomware Protection feature in InterScan Messaging Security Suite (IMSS) or InterScan Messaging Security Virtual Appliance (IMSVA)

Files related to this Locky ransomware campaign are already detected using OPR 13.671.00.

Downloaders (downloaders are already detected as early as January 2017):

Locky Ransomware

Web Reputation Services evaluates the potential security risk of all requested URLs at the time of each HTTP request. Depending on the rating returned by the database and the security level configured, web reputation either blocks or approves the request.

Web Reputation service already blocks all of the known URLs associated with Locky ransomware campaign.

Web Reputation Services

Behavior Monitoring can detect a specific sequence of events that may indicate a ransomware attack. Thus, Behavior Monitoring detects and blocks the file encryption routine of Locky ransomware.

Behavior Monitoring

Trend Micro Deep Discovery Inspector (DDI) is helpful in identifying the potentially impacted machines on the network because it has the following detection rules for this ransomware:

  • Rule ID 3601: VBSCRDLX – HTTP (Request) - ETA: September 26, 2017
  • Rule ID: 2116 LOCKY - Ransomware - HTTP (Request) - Variant 2
  • Rule ID: 2028 LOCKY - Ransomware - HTTP (Request)
  • Rule ID: 2251 LOCKY - Ransomware - HTTP (Request) - Variant
  • Rule ID 2409: File renamed - LOCKY- Ransomware - SMB (Request) - ETA: September 26, 2017

Deep Discovery Inspector

Deep Security has an IPS solution that can help detect and block Locky Ransomware-associated network traffic.

Deep Security IPS

Instructions on how to enable this feature can be viewed from this link: Ransomware Detection and Prevention in Deep Security.

TippingPoint has the following ThreatDV to block and prevent threat activity related to Locky Ransomware:

  • 26222: HTTP: Locky CnC checkin Nov 21 
  • 26223: HTTP: Locky CnC checkin Nov 21 M2 
  • 26226: HTTP: Locky CnC Checkin Dec 5 M1
  • 26227: HTTP: Locky CnC Checkin HTTP Pattern 
  • 27857: HTTP: Locky CnC checkin Aug 03

TippingPoint

BEST PRACTICES FOR IT ADMINS

  • Optimize email security. Blocking malicious emails at the gateway level before they can even reach the users will help prevent malware infections.
  • Review the need for VBS and JS scripting in the machine. If it is not needed, you can disable it to reduce the risk of malware infection.
  • Enable file extensions in Windows. The default Windows setting has file extensions disabled. This means that you have to rely on the file thumbnail to identify it. Enabling extensions makes it much easier to identify file types that are not commonly sent, such as JavaScript or VBScript.
  • Don’t enable macros in MS Office file attachments received via email.
  • Restrict write permissions on the file server if possible. Ransomware encrypts files for both local and network shares with write permissions.
  • Back up important files regularly. Cybercriminals use the potential loss of important and personal data as a fear-mongering tactic to coerce victims into paying the ransom. Organizations and end users can back up files to remove their leverage. Keep at least three copies, with two stored in different devices, and another in an offsite or safe location.
  • Effective Patch Management. It is highly recommended to keep application patch levels up-to-date as a lot of malware use these vulnerabilities to compromise your machine. Examples of critical applications are Java, Adobe, and your Internet Browser.
  • Educate users about social engineering attacks. Getting infected by Ransomware is an indication that the user is not security aware. The user may receive spam mail and open the attachment without knowing the risks involved.

RELATED ARTICLES

Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1118382
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.