Locky and the fine art of namedropping

And, I just have been with the latest batch of Locky ransomware emails. Apart from the general rudeness of the message, both the word selection and the technology used to communicate it are point-on references to where Avira is going with our antimalware efforts.

Getting the message with Locky

The rude words are buried in the spam emails that distribute downloaders for Locky ransomware. Deep down in the tangled and obfuscated JavaScript file of the malware – which serves to download the malicious Locky files from the internet – are some childish comments about myself and another internet security company.

In this case, the message medium is the critical point. Locky, as the most “successful” ransomware kid on the block, is spread indirectly.  It is usually spread through the medium of spammed emails which rely on social engineering, fooling individuals who then click on them. And, to do so, Locky misuses technologies such as Microsoft Word macros and, most recently, JavaScript.

Social engineering isn’t everything

While Locky is usually activated by a user that has been deceived by some social engineering, it is not OK to blame users as the source of all problems. The cyber-criminals behind Locky are professional and their technical prowess is just as important as their social engineering. For the infection to work after getting on a PC, they have to go over the internet security product to be successful. It is important to look at Locky as a whole – a huge framework with a command and control server and a random domain algorithm. All of this is designed by professional experts.

Cloud analysis and a well-hidden hand

At Avira, we are working to detect Locky (and every other kind of malware) well before you are directly faced with a social engineering temptation. We are focused on identifying suspect emails and Locky downloaders as they come into your inbox. And, we want to do this whether they come wrapped up in JavaScript or Microsoft Word macros, or even the next vulnerability which is currently unknown. To do so, we are using an array of techniques.

Most of our detections for Locky are created in the Avira Protection Cloud (APC). The two huge benefits to this technology are that we are able to keep our detections from being reverse engineered by the cyber criminals and we are also able to analyze their binaries in real-time. This lets us know exactly what measurements and changes are needed to protect our customers.

travis_sucks_big

Which brings me back to the message in the obfuscated JavaScript text.

  1. It’s a compliment. Yes, I take it as a compliment that the cyber-criminals are mentioning me in their latest JavaScript downloader package for Locky. They would not mention Avira unless we were being effective and irritating them? Yes, we get the message.
  2. It’s not personal. It’s not really even about me. This is really a huge (albeit indirect) compliment to our analysts in the Avira Virus Lab that work every day to stop the latest tricks from Locky and others on the Dark Side.
  3. It’s not over. The fight against Locky and other malware is not a one-off battle. It is a continuing war. And we at Avira are continuing to hone our analysis and strengthen our detection to keep these threats out of your devices.

This post is also available in: GermanFrenchItalian

Chief Executive Officer