Locky in the Cloud with Ransomware

A new ransomware called Locky is making the rounds, encrypting its victims’ files and demanding several hundred Euros to unscramble them.

The German Heise publication reported yesterday that three out of 54 antivirus solutions were able to detect it – and Avira was not one of them. We’d like to make it clear: Avira Antivirus has no detection problems with Locky. In addition to the generic detection dating back to late 2015, the downloaded binaries for Locky malware are also flagged by the NightVision and AutoDump detection features in Avira Protection Cloud(APC) even if they get through our Javascript or Office document downloader detections.

“Locky has failed to break our cloud detection – we’ve picked it up multiple times in the APC,” points out Stefan Kurtzhals of the Avira Protection Lab. “It is a good example of how well backend-only detection methods – where we analyze and detect malware in our Avira cloud instead of doing this directly in the users’ computer – work in comparison to the signature-type detections listed in VirusTotal.”

Kurtzhals is referring to the Avira Protection Cloud(APC) – our in-cloud technology for threat analysis and detection – and an integral part of our Antivirus solutions. With APC, Avira sends potentially dangerous binaries to our cloud for analysis. With detection taking place in the cloud backend, cybercriminals like the authors of Locky can’t directly see how we are doing this – or successfully use their battery of obfuscation tricks to circumvent detection.

Locky is striking over a geographically diverse area. From just one Locky sample, Avira has identified targeted computers in Germany, England/United States, Spain, Italy, and the Netherlands.

Locky is usually spread by emails with an attached Microsoft Word document. If Office macros are turned on, the malware installation starts once the document is opened. If the macros have been disabled, the malware gives the recipients a reminder that they really should enable them – and then goes to work.

After Locky recently started to spread by Javascript emails, the analysis of the script showed that both Locky and Dridex are using the same Javascript obfuscator. This would indicate that they are likely using the same FUD (fully-undetected) service for sending out the spam email.

“Even though Avira is detecting this, it is really important for users to use common sense and not click on suspicious attachments,” points out Kurtzhals. “Whether the specific malware is Locky or Dridex, this is a very common way to spread bad stuff around – think before you click.”

This post is also available in: GermanFrenchItalian

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.