Spotted: Surprising Lull in Locky and Dridex AttacksCybercriminals Are Likely Vacationing, Security Experts Say
See Also: You've Got BEC!
Liverpool, England-based security researcher Kevin Beaumont has tracked a decline in Locky and Dridex attack volume in recent weeks.
"We still predict it will get back into gear before long."
"Locky is MIA still after bumper runs pre Christmas, for me at least," Beaumont noted Jan. 12 via Twitter.
Locky is designed - like so many types of crypto-locking ransomware - to encrypt many file types on a PC and then demand that victims pay a ransom in bitcoins to receive a decryption key.
Dridex, meanwhile, is a banking Trojan primarily designed to target customers of U.S. and European banks. Like Locky, the Trojan typically gets distributed via phishing attacks. Once Dridex infects a PC, it goes dormant until users navigate to an online banking page. Dridex then uses web injections and redirects to fake webpages to trick users into thinking they're logging into a legitimate site when, in reality, attackers are intercepting their credentials and often using them to drain accounts (see Dridex Banking Trojan Makes a Resurgence, Targets US).
Unless attackers are actively distributing the malware, arguably they're not making much profit from their attack tools.
But Sean Sullivan, a security adviser at Helsinki, Finland-based endpoint security vendor F-Secure, said there's a simple explanation for the pause: Attackers may still be on holiday. "Russia celebrates Christmas on January 7th," he told me last week via Twitter. "A break at this point is not surprising. Next week, let's see."
This week, however, the attacks have yet to recommence. "We continue to see no Locky, Dridex, vastly decreased spam volumes etc. Before new year we were getting 100k+/day," Beaumont said Jan. 16 via Twitter.
His assessment has been seconded by others, including the information security expert known as Misguided Security.
@GossiTheDog Can confirm the same thing at my org. No Locky and dramatic decreases in Dridex and other spam.— Misguided Security (@k1LL_sw17ch) January 16, 2017
Some Locky Spam Continues
Päivi Tynninen, a researcher at F-Secure, also says Locky-carrying spam continued through the recent holidays, but the principle distributor of the ransomware - the Necurs exploit kit and related botnet - remains idle.
"She, like me, suspects they've been on holiday - perhaps someplace warm," F-Secure's Sullivan tells me. "We still predict it will get back into gear before long."
Necurs has also been used to distribute Dridex banking malware, so the simultaneous downturn in both it and Locky attacks isn't surprising.
On the spam front, malware uploaded Jan. 9 to the Payload Security malware-analysis service was identified as being a downloader for Locky. The file - Delivery-Receipt-00000554200.doc.wsf - is a Windows script file designed to get the ransomware onto an infected system.
A separate analysis on VirusTotal conducted Jan. 11 reached the same conclusion. One comment posted to that analysis said that the file has been distributed, at least in part, by emails that pretend to be from "FedEx Priority" and which have a subject line that references a "parcel ... delivery notification" from FedEx.
Locky Will Likely Return - Soon
Setting aside those low-level spam attacks, this isn't the first time that the Necurs botnet operators have taken a break. "The longest lull before this was a few weeks in October," Tony Anscombe, a senior security evangelist at endpoint security vendor Avast, told The Hill. "But the malware came roaring back."
Like Sullivan, Anscombe suspects there's a business rationale underlying the current cessation. "Maybe they've found that during holidays they can't make as much profit," he said.