Locky ransomware was discovered to be using a domain generation algorithm in its code, and now it has evolved yet...
again. This time, security researchers have found Locky ransomware moving away from WSF documents in phishing emails to shortcut LNK files. Microsoft says this can help phishing emails evade detection. What's the difference between the two file types, and how should security teams adjust to the changes in Locky?
Locky ransomware has made several changes in its operations in response to defenses implemented by enterprises to block it. The malware authors and ecosystem are motivated to keep making money by infecting new endpoints. The malware authors know that most endpoints and users have common vulnerabilities, so they will only need to get to the stage where the user opens an attachment from their email.
The Windows Script File (WSF) type, which Locky previously used to distribute the Nemucod malware, can be used to run JScript or VBScript. LNK files are shortcuts to executables -- Locky uses LNK files that contain PowerShell command line arguments to download the malware. Organizations that had been scanning or blocking WSF files to stop the ransomware may not be doing the same for LNK files.
Locky ransomware continues to be distributed using spam. Security teams should ensure their security controls block spam, phishing and malicious attachments, as well as that they inspect ZIP files to see if they contain LNK files, and to block them if so.
Enterprises may even want to start whitelisting the attachments that they allow, as well as ensuring that their antispam and phishing tools have the functionality to check the allowed file types for macros or other malicious code. Microsoft also recommends disabling macros completely for Office.
Learn about the growth of ransomware and other types of malware
Find out why healthcare data is at such high risk of ransomware attacks
Discover how to remove obfuscated macro malware from your systems
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
When NSA cyberweapons went public, attackers bundled them into the EternalRocks malware. Nick Lewis takes a closer look at this new threat and ...continue reading
A Google Docs phishing attack used OAuth tokens to affect more than a million Gmail users. Nick Lewis explains how it happened, and how to defend ...continue reading
A vulnerability in Microsoft's Windows Defender antivirus tool left users open to remote code exploitation. Expert Nick Lewis explains how it ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.