Locky ransomware was discovered to be using a domain generation algorithm in its code, and now it has evolved yet...
again. This time, security researchers have found Locky ransomware moving away from WSF documents in phishing emails to shortcut LNK files. Microsoft says this can help phishing emails evade detection. What's the difference between the two file types, and how should security teams adjust to the changes in Locky?
Locky ransomware has made several changes in its operations in response to defenses implemented by enterprises to block it. The malware authors and ecosystem are motivated to keep making money by infecting new endpoints. The malware authors know that most endpoints and users have common vulnerabilities, so they will only need to get to the stage where the user opens an attachment from their email.
The Windows Script File (WSF) type, which Locky previously used to distribute the Nemucod malware, can be used to run JScript or VBScript. LNK files are shortcuts to executables -- Locky uses LNK files that contain PowerShell command line arguments to download the malware. Organizations that had been scanning or blocking WSF files to stop the ransomware may not be doing the same for LNK files.
Locky ransomware continues to be distributed using spam. Security teams should ensure their security controls block spam, phishing and malicious attachments, as well as that they inspect ZIP files to see if they contain LNK files, and to block them if so.
Enterprises may even want to start whitelisting the attachments that they allow, as well as ensuring that their antispam and phishing tools have the functionality to check the allowed file types for macros or other malicious code. Microsoft also recommends disabling macros completely for Office.
Learn about the growth of ransomware and other types of malware
Find out why healthcare data is at such high risk of ransomware attacks
Discover how to remove obfuscated macro malware from your systems
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
A security researcher found a security flaw dubbed CVE-2018-2636 that enables the installation of malware on Oracle Micros POS systems. Learn more ... Continue Reading
The joint DHS and NIST report on botnet security offers goals and action items to counter distributed cyberthreats. Learn the report recommendations ... Continue Reading
Android malware was discovered by Kaspersky Labs and named Skygofree. This Trojan targets smartphones and tablets using spyware and gathers user ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.