Scam of the Week – Locky Ransomware

October 27, 2017 8:18 am Paul Mullin

Locky ransomware is nothing new with many different variations coming out all the time, even last week we noted how it has now become a problem for Android users.

As the means by which it spreads continually become more and more sophisticated, the latest method of distributing the ransomware uses a phishing email complete with a compromised word document in the form of an invoice.

Spotted first by the people at the Internet Storm Centre (SANS), they noticed that this strain of the scam leverages a vector in Word documents that uses Microsoft Dynamic Data Exchange (DDE), a feature that lets Office applications load data from another Office file.

The phishing messages carrying this attack come from the Necurs botnet. You may have heard of it before, it’s been around for about 5 years and has been named one of the largest botnets in the world. It contains some 6 million zombie endpoints, and delivers some of the worst trojans and ransomware threats to millions of emails at a time.

It works by convincing recipients using a fake invoice (the compromised word file) to click ‘OK’ through security warnings. Once the victim has clicked ‘OK’ then the poisoned document fetches a downloader that pulls a copy of Locky to decrypt at the target.

Once the ransomware has launched and encrypted the victim’s hard drive, Locky is deleted with the downloader left behind and a demand for 0.25 Bitcoin (about £1200 currently) issued.