Locky Ransomware Resurgence

On Tuesday June 21, Cloudmark observed the resurgence of the notorious Locky Ransomware. The criminals behind the aggressive Ransomware spam campaigns had previously taken a hiatus which appeared to coincide with the arrest of 50 hackers in Russia announced on May 27, 2016 related to fraud perpetrated using the Lurk botnet. Around the time of the Russian arrests, global malware spam (malspam) volumes plummeted. In particular, it was widely observed amongst researchers that Locky and Dridex-style spam campaigns had almost dried up completely. Note that the disruption only appeared to affect distribution of the malware - the back-end Command & Control infrastructure appeared to remain operational. The highly successful Locky spam campaigns typically use an obfuscated .js (JavaScript/JScript) file inside an zip archive which is then attached to a spam message. The body and subject of the message will contain social engineering lures to encourage the victim to open the attachment. Here is an example of a recent malspam message with a zip attachment containing malicious JScript:

On June 21, the criminals resumed their distribution operations using the same methods used previously before the period of inactivity. This was expected – short of a full technical takedown combined with law enforcement action against the criminals operating the infrastructure and those distributing the malware, it is very difficult to take out a malware distribution network of this size. The following graph illustrates the drop, period of inactivity, and subsequent spike in all virulent mail traffic observed by Cloudmark during the Locky distribution outage. Note that upon resurgence the total volume spiked higher than previously observed before the drop in traffic.