Locky ransomware was discovered to be using a domain generation algorithm in its code, and now it has evolved yet...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
again. This time, security researchers have found Locky ransomware moving away from WSF documents in phishing emails to shortcut LNK files. Microsoft says this can help phishing emails evade detection. What's the difference between the two file types, and how should security teams adjust to the changes in Locky?
Locky ransomware has made several changes in its operations in response to defenses implemented by enterprises to block it. The malware authors and ecosystem are motivated to keep making money by infecting new endpoints. The malware authors know that most endpoints and users have common vulnerabilities, so they will only need to get to the stage where the user opens an attachment from their email.
The Windows Script File (WSF) type, which Locky previously used to distribute the Nemucod malware, can be used to run JScript or VBScript. LNK files are shortcuts to executables -- Locky uses LNK files that contain PowerShell command line arguments to download the malware. Organizations that had been scanning or blocking WSF files to stop the ransomware may not be doing the same for LNK files.
Locky ransomware continues to be distributed using spam. Security teams should ensure their security controls block spam, phishing and malicious attachments, as well as that they inspect ZIP files to see if they contain LNK files, and to block them if so.
Enterprises may even want to start whitelisting the attachments that they allow, as well as ensuring that their antispam and phishing tools have the functionality to check the allowed file types for macros or other malicious code. Microsoft also recommends disabling macros completely for Office.
Learn about the growth of ransomware and other types of malware
Find out why healthcare data is at such high risk of ransomware attacks
Discover how to remove obfuscated macro malware from your systems
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
The Fruitfly Mac malware has decades-old code, but has been conducting surveillance attacks for over two years without detection. Expert Nick Lewis ...continue reading
A Gmail phishing attack brought users to fake login pages designed to look like Google's. Expert Nick Lewis explains how users can prevent similar ...continue reading
A HummingBad malware variant, HummingWhale, was discovered being spread through 20 apps on the Google Play Store. Expert Nick Lewis explains the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.