Euro Security Watch with Mathew J. Schwartz

Anti-Malware , Technology

Spotted: Surprising Lull in Locky and Dridex Attacks Cybercriminals Are Likely Vacationing, Security Experts Say
Spotted: Surprising Lull in Locky  and Dridex Attacks
A Locky ransom note (source: F-Secure)

Where has all the Locky ransomware and Dridex malware gone?

See Also: How to Scale Your Vendor Risk Management Program

Liverpool, England-based security researcher Kevin Beaumont has tracked a decline in Locky and Dridex attack volume in recent weeks.

"We still predict it will get back into gear before long." 

"Locky is MIA still after bumper runs pre Christmas, for me at least," Beaumont noted Jan. 12 via Twitter.

Locky is designed - like so many types of crypto-locking ransomware - to encrypt many file types on a PC and then demand that victims pay a ransom in bitcoins to receive a decryption key.

Dridex, meanwhile, is a banking Trojan primarily designed to target customers of U.S. and European banks. Like Locky, the Trojan typically gets distributed via phishing attacks. Once Dridex infects a PC, it goes dormant until users navigate to an online banking page. Dridex then uses web injections and redirects to fake webpages to trick users into thinking they're logging into a legitimate site when, in reality, attackers are intercepting their credentials and often using them to drain accounts (see Dridex Banking Trojan Makes a Resurgence, Targets US).

Unless attackers are actively distributing the malware, arguably they're not making much profit from their attack tools.

But Sean Sullivan, a security adviser at Helsinki, Finland-based endpoint security vendor F-Secure, said there's a simple explanation for the pause: Attackers may still be on holiday. "Russia celebrates Christmas on January 7th," he told me last week via Twitter. "A break at this point is not surprising. Next week, let's see."

This week, however, the attacks have yet to recommence. "We continue to see no Locky, Dridex, vastly decreased spam volumes etc. Before new year we were getting 100k+/day," Beaumont said Jan. 16 via Twitter.

His assessment has been seconded by others, including the information security expert known as Misguided Security.

Some Locky Spam Continues

Päivi Tynninen, a researcher at F-Secure, also says Locky-carrying spam continued through the recent holidays, but the principle distributor of the ransomware - the Necurs exploit kit and related botnet - remains idle.

"She, like me, suspects they've been on holiday - perhaps someplace warm," F-Secure's Sullivan tells me. "We still predict it will get back into gear before long."

Necurs has also been used to distribute Dridex banking malware, so the simultaneous downturn in both it and Locky attacks isn't surprising.

On the spam front, malware uploaded Jan. 9 to the Payload Security malware-analysis service was identified as being a downloader for Locky. The file - Delivery-Receipt-00000554200.doc.wsf - is a Windows script file designed to get the ransomware onto an infected system.

A separate analysis on VirusTotal conducted Jan. 11 reached the same conclusion. One comment posted to that analysis said that the file has been distributed, at least in part, by emails that pretend to be from "FedEx Priority" and which have a subject line that references a "parcel ... delivery notification" from FedEx.

Locky Will Likely Return - Soon

Setting aside those low-level spam attacks, this isn't the first time that the Necurs botnet operators have taken a break. "The longest lull before this was a few weeks in October," Tony Anscombe, a senior security evangelist at endpoint security vendor Avast, told The Hill. "But the malware came roaring back."

Like Sullivan, Anscombe suspects there's a business rationale underlying the current cessation. "Maybe they've found that during holidays they can't make as much profit," he said.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network