How to deal with the Locky Ransomware Email Campaign
Ransomware has been the number one cyber-security threat in 2017. Outbreaks such as WannaCry have caused massive amounts of damage worldwide. If you want to detect Ransomware such as WannaCry you should watch out for an increase in file renames and deploy technologies such as IDS to identify outbreaks on your network.
Recently there has been an increase in activity associated with the Locky variant of Ransomware. Locky was first detected in 2016 and one of its first victims was the Hollywood Presbyterian Medical Center in Los Angeles, California. The infection encrypted systems throughout the medical center, locking staff out of computers and electronic records.
The recent Locky campaign saw 23 million messages containing the ransomware sent on 28 August across the United States in what appears to be one of the largest malware campaigns this year.
5 Locky Fingerprints that you need to watch out for
If you want to detect Locky activity on your network, you need to watch out for this activity. Some are directly associated with Locky, others would be suspicious and would need to be checked.
- Dodgy subject lines which are known to be associated with Locky distribution
- Clients trying to access the domain greatesthits.mygoldmusic.com
- Lukitus file extensions on network drives
- Increase in file renames
- ZIP file attachments
Further information below on each of these.
Search inbound email for specific subject lines
The email campaign associated with the latest outbreak of Locky uses this list of subject lines:
- please print
If you host your own email servers, you should monitor all SMTP servers and alert if any emails using these subject lines are detected. One way to do this is to use our own LANGuardian product to extract the email metadata from network traffic which can be sourced from a SPAN or a mirror port. The image below shows an example of what you should be watching out for.
Monitor DNS or Web Traffic for activity associated with Locky domains
This Locky outbreak uses Visual Basic Script (VBS) files embedded in zip email attachments. The emails do not contain the Ransomware code. When a user opens the attachment the VBS script attempts to connect to the domain greatesthits.mygoldmusic.com. From here, it pulls down the Locky Ransomware and then goes about encrypting files. You can check for activity associated with this domain by monitoring web or DNS traffic. It may also be possible to do this with a firewall or proxy logging, but check your device to see if it capture domain names.
The image below shows an example of what you should be watching out for. Here, we can see that a client attempted to access a suspicious domain and would need to be taken off the network and checked.
Watch out for Lukitus file extensions
Once this variant of Locky is active on a network, it will seek out local folders and network based file shares. Files are encrypted and a Lukitus file extension is appended to each file. Make sure you are monitoring all activity to your important network shares. One way to do this is to monitor network traffic to and from the file servers.
The image below shows an example of what you need to watch out for. The client associated with this event would need to be removed from the network and checked for Ransomware infection.
A sudden increase in file renames is a sign of Ransomware
All variants of Ransomware which target end user data have common attributes which are to take the user data, encrypt and then rename with a new file extension. In some cases, the files are encrypted with their original file names but the rename action still occurs.
We recommend that you constantly monitor the rate of file renames on all of your network shares. A good starting point would be to alert on any instances, where the number of file renames goes above 4 per second. Our lab analysis shows that this is a good indicator of mass renaming which is typically associated with Ransomware. Make sure your alerts also contain the client IP address associated with the renaming as they need to be removed from the network immediately.
Get an inventory of what ZIP files are coming into your network
Compressed files (ZIP and others) are often used to deliver malware via email. Many email servers block attachments if they have strange file extensions. However, if the malware is embedded within a ZIP file, it can get through some filters. Most network devices are able to open ZIP files which is why they are used.
If you host your own email servers, we recommend that you monitor all attachments that are inbound into your network. One way to do this is to monitor network traffic going to and from your email servers. A system such as our own LANGuardian can extract attachment names from this traffic and provide reports and alerts on suspicious activity.