Skip to Main Content
Locky ransomware takes the wheel again

Locky takes the wheel again

Locky has stepped back from running in an offline-only mode, as Locky affiliates transition back to including Command and Control (CnC) information in their configuration, with an accompanying drop in the number of affiliates working in an offline-only mode.

“Maybe it didn’t work out as well as expected for them. Or they were just too curious about the number of successful infections,” said Moritz Kroll, malware specialist in the Avira Protection Labs.

Spreading a Locky configuration that does not require a CnC connection is a two-edged sword for cybercriminals. On one hand, by not giving CnC information – and an IP address – it lets the Locky network keep out of sight from law enforcement and security researchers. But on the other hand, it reduces the feedback the cybercriminals can collect on the effectiveness of individual Locky distribution campaigns run by their affiliates.

“From September 16, Affiliate 13 was the first to again contain CnC information in the configuration, while Affiliates 1 and 3 were still in offline-only mode. Then on September 19, we saw Affiliates 1 and 5 also come back with CnCs. At the present time, only Affiliates 3 and 21 seem to still be following the new autopilot paradigm,” explained Kroll.

When Locky is on autopilot, the network communication elements have been disabled, enabling the ransomware to encrypt victim files without directions from its CnC centers and to better hide from researchers.

Affiliate networks are a key link to the growth of Ransomware as a Service (RaaS), with affiliates being paid when the victims pay the ransom demanded. While networks are often customized to a specific segment or product, the same basic principle applies: “If you provide the traffic/installs, you get money for that – whether it is ransomware, PUA, or adware,” he added. “Your affiliate ID identifies you, so they know who gets the money.”

Avira, a company with over 100 million customers and more than 500 employees, is a worldwide leading supplier of self-developed security solutions for professional and private use. With more than 25 years of experience, the company is a pioneer in its field.