lolloj - Fotolia
Locky ransomware was discovered to be using a domain generation algorithm in its code, and now it has evolved yet again. This time, security researchers have found Locky ransomware moving away from WSF documents in phishing emails to shortcut LNK files. Microsoft says this can help phishing emails evade detection. What's the difference between the two file types, and how should security teams adjust to the changes in Locky?
Locky ransomware has made several changes in its operations in response to defenses implemented by enterprises to block it. The malware authors and ecosystem are motivated to keep making money by infecting new endpoints. The malware authors know that most endpoints and users have common vulnerabilities, so they will only need to get to the stage where the user opens an attachment from their email.
The Windows Script File (WSF) type, which Locky previously used to distribute the Nemucod malware, can be used to run JScript or VBScript. LNK files are shortcuts to executables -- Locky uses LNK files that contain PowerShell command line arguments to download the malware. Organizations that had been scanning or blocking WSF files to stop the ransomware may not be doing the same for LNK files.
Locky ransomware continues to be distributed using spam. Security teams should ensure their security controls block spam, phishing and malicious attachments, as well as that they inspect ZIP files to see if they contain LNK files, and to block them if so.
Enterprises may even want to start whitelisting the attachments that they allow, as well as ensuring that their antispam and phishing tools have the functionality to check the allowed file types for macros or other malicious code. Microsoft also recommends disabling macros completely for Office.
Learn about the growth of ransomware and other types of malware
Find out why healthcare data is at such high risk of ransomware attacks
Discover how to remove obfuscated macro malware from your systems
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.