Malware analysts at Avira believe the botnet distributing Locky ransomware may take an Easter break and not deliver phishing emails in Europe for the Monday, March 28 holiday.
If this takes place, the extent of the slowdown will demonstrate the botnet operator’s ability to fine-tune their outreach for regional holidays. March 28 is a holiday throughout most of Europe with nearly all businesses and government offices closed. However, it is not a holiday in the United States.
The Locky ransomware operational strategy has been to roll outnew attack vectors and payload variants early in the week. This strategy hits companies with new phishing emails just after theweekend when employees are trying to go through emails quickly and before information about new payloads had been spread through the media. The illustration of intercepted phishing attempts for the week of March 6, shows how a wave of Locky distribution began precisely on Monday, March 7.
“We expect a very low level of outgoing Locky phishing attempts on Monday, with a substantial increase the next day on Tuesday, March 29. The bigger the difference, the more clear signal we will have about the botnet’s ability to customize a delivery strategy,” said Oscar Anduiza, malware analyst at Avira. “And while delivery may slow down, we also believe malware innovators won’t have the weekend off – we will just see their new tricks 24 hours later on Tuesday. Either way, we are ready at Avira all the time. And, consumers should certainly not be clicking on strange emails just because it’s the weekend.”
Locky ransomware burst on the scene earlier this year. The ransomware has generally targeted companies and organizations, with emails designed to look like invoices from legitimate companies – often with accurate data. Once opened, personal files on end computer will be encrypted and file extensions changed to “locky.” The demanded ransom payment for unencrypting these files starts at 0.5 Bitcoins (175 Euro) and has gone up to 15,000 Euro for a hospital in the US.
Locky is distributed by the Dridex botnet. While Dridex has had a history of distributing banking Trojans, it now seems to have shifted its focus to the more lucrative ransomware business.