{"id":7414,"date":"2017-04-21T16:10:26","date_gmt":"2017-04-22T00:10:26","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/04\/21\/news-1205\/"},"modified":"2017-04-21T16:10:26","modified_gmt":"2017-04-22T00:10:26","slug":"news-1205","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/04\/21\/news-1205\/","title":{"rendered":"Locky ransomware is back, but we already protect against it"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Fri, 21 Apr 2017 23:38:53 +0000<\/strong><\/p>\n

In our Q1 2017 Tactics and Techniques report<\/a>, we mentioned\u00a0that the Locky ransomware had mysteriously\u00a0vanished. Indeed, for a while, it completely disappeared and allowed for\u00a0Cerber to take the number one spot as the most distributed piece of ransomware (and malware for that matter).<\/p>\n

However, the group controlling the Necurs botnet\u00a0has just opened the spam floodgates again and is pumping out fake documents that deliver the nasty Locky ransomware right before going into the weekend.<\/p>\n

\"\"<\/a><\/p>\n

PDF to Word Macro<\/h3>\n

The ransomware is dropped following a distribution method we have been seeing more of recently with Dridex which involves embedding a Word document within a PDF file.<\/p>\n

\"\"<\/a><\/p>\n

While this may seem like an unnecessary extra step, it actually allows to bypass sandboxes.\u00a0Once the user clicks the OK button, the rogue Word document is displayed:<\/p>\n

\"\"<\/a><\/p>\n

This last step requires a bit of social engineering to execute a malicious macro that will download the actual Locky ransomware.<\/p>\n

\"\"<\/a><\/p>\n

Personal files are encrypted with the .osiris<\/em> extension and the crooks are asking 0.5 Bitcoin ($623 at the time of writing) to recover them.<\/p>\n

Protection<\/h3>\n

The attack relies on users opening up malicious attachments that will appear legitimate. Many studies have shown that users are often the weakest link in an attack chain and criminals know that too well.<\/p>\n

Malwarebytes<\/a> protects against this attack at various layers including macro and\u00a0ransomware mitigation, and neither of those required any signature update.<\/p>\n

\"\"<\/a><\/p>\n

The post Locky ransomware is back, but we already protect against it<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Fri, 21 Apr 2017 23:38:53 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
For a while, it appeared that Locky ransomware had completely disappeared and allowed for Cerber to take the number one spot as the most distributed piece of ransomware. But after a long absence, Locky returns in full swing.<\/p>\n

Categories: <\/p>\n