Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Massive Volume of Ransomware Downloaders being Spammed

We are currently seeing extraordinarily huge volumes of JavaScript attachments being spammed out, which, if clicked on by users, lead to the download of a ransomware. Ransomware encrypts data on a hard drive, and then demands payment from the victim for the key to decrypt the data.

Our Spam Research Database saw around 4 million malware spams in the last seven days, and the malware category as a whole accounted for 18% of total spam arriving at our spam traps. The graph below shows hourly spam traffic for the malware category for the past 30 days - note the relatively low levels of activity to the left, and huge peaks on the right, representing the ransomware downloader campaigns. As you can see the campaigns are not continuous, but concentrated bursts, with peaks of 200K emails hitting our servers in a single hour.

9407_588a131f-97a2-4eea-8daa-c3207b59d0d0
Figure 1: Volume of Ransomware-ridden Spam for the past month

These campaigns are coming from the same botnet responsible for previously spammed documents with malicious macros which downloaded the Dridex trojan. The actors behind the campaigns have merely changed the delivery mechanism (.js attachment) and the end malware (ransomware).

The Destruction

The notorious payloads of ransomware have been covered many times in blogs and mainstream media. This type of malware has a very destructive payload. Here's a walkthrough on how this ransomware gets propagated and infects a system. This particular spam campaign was sending a JavaScript attachment that downloads Locky ransomware:

9809_6d4fa67f-9f50-47ab-a058-17f178f83f07
Figure 2: Recent spam typically uses Invoice-related subject lines
12230_e0e280aa-52c4-4db3-8e4d-1812f856e0f7
Figure 3: Extracted JavaScript file

Running the JavaScript downloads the ransomware executable:

9064_4891cf89-820a-48a1-9b1e-db8c3546fd6f
Figure 4: The JavaScript code showing the download URL of the payload.

A registry key may be added; in this case it adds the Registry key HKEY_CURRENT_USER\Software\Locky in the infected system.

12256_e20aecfa-5872-49b9-8e36-32b903b76993
Figure 5: Registry key added by Locky Ransomware

The malware connects to its Control servers that are hardcoded in the code. It then reports back the infected systems information:

12100_d98bb6b2-a925-4070-9fbb-7af2a34af56a
Figure 6: Malware code showing the Command and control communication routine

The Locky ransomware looks for list of file extensions in the infected system's hard drive and then encrypt those files:

10422_88517df1-162e-4d67-9bc9-31bc5e93401c
Figure 7: The code routine where Locky looks for files to encrypt
 

.3g2

 

.3gp

 

.7z

 

.ARC

 

.NEF

 

.PAQ

 

.aes

 

.asf

 

.avi

 

.bak

 

.bat

 

.bmp

 

.c

 

.cgm

 

.class

 

.cmd

 

.djv

 

.djvu

 

.fla

 

.flv

 

.gif

 

.gpg

 

.gz

 

.jar

 

.java

 

.jpeg

 

.jpg

 

.m3u

 

.mid

 

.mkv

 

.mov

 

.mp3

 

.mp4

 

.mpeg

 

.mpg

 

.png

 

.psd

 

.qcow2

 

.rar

 

.raw

 

.rb

 

.sh

 

.svg

 

.swf

 

.tar

 

.tar.bz2

 

.tbk

 

.tgz

 

.tif

 
 

.tiff

 

.vdi

 

.vmdk

 

.vmx

 

.vob

 

.wav

 

.wma

 

.wmv

 

.zip

 

Figure 8: List of file extensions that Locky ransomware encrypts

The malware renames the encrypted files to a random name and uses .locky as the file extension.

8056_15592898-f7b0-4fe3-b05b-0dc23dbb5587

Ransom notes are dropped in every encrypted file's folder and the desktop background is also replaced with a ransom note image.

BSL_10175_7cae2b00-697c-4bbe-9494-31064b865d14

A unique webpage is generated for each victim that can only be accessed through Tor anonymous browser. This page contains a bitcoin payment setup where the victim could pay for a decrypter tool.

9648_64f3a29c-b48c-451e-835d-d26cd573c262
Conclusion

Blocking these mass spam attacks at the email gateway is important. In a way, apart from the huge volumes and the ransomware payload, these malicious spam campaigns are not new. It's the same botnet, different day, and different payload. Our Trustwave Secure Email Gateway is currently proving very effective against these campaigns. All layers, including the various anti-spam and anti-malware layers, play a part.

For those wanting extra protection, also carefully consider your inbound email policy:

  • Blocking inbound .js attachments at the gateway
  • Blocking inbound Office documents with macros at the gateway.

While these steps might seem very strict, some companies have opted for them, at the same time as considering alternative ways to pass valid .js and macro documents into the organisation.

And of course your last line of defense against ransomware infection is always having an up to date and good backup process.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo