Massive Volume of Ransomware Downloaders being Spammed

We are currently seeing extraordinarily huge volumes of JavaScript attachments being spammed out, which, if clicked on by users, lead to the download of a ransomware. Ransomware encrypts data on a hard drive, and then demands payment from the victim for the key to decrypt the data.

Our Spam Research Database saw around 4 million malware spams in the last seven days, and the malware category as a whole accounted for 18% of total spam arriving at our spam traps. The graph below shows hourly spam traffic for the malware category for the past 30 days - note the relatively low levels of activity to the left, and huge peaks on the right, representing the ransomware downloader campaigns. As you can see the campaigns are not continuous, but concentrated bursts, with peaks of 200K emails hitting our servers in a single hour.

SpamVolumeGraph
Figure 1: Volume of Ransomware-ridden Spam for the past month

These campaigns are coming from the same botnet responsible for previously spammed documents with malicious macros which downloaded the Dridex trojan. The actors behind the campaigns have merely changed the delivery mechanism (.js attachment) and the end malware (ransomware).

The Destruction

The notorious payloads of ransomware have been covered many times in blogs and mainstream media. This type of malware has a very destructive payload. Here's a walkthrough on how this ransomware gets propagated and infects a system. This particular spam campaign was sending a JavaScript attachment that downloads Locky ransomware:

EmailSample
Figure 2: Recent spam typically uses Invoice-related subject lines
Zip
Figure 3: Extracted JavaScript file

Running the JavaScript downloads the ransomware executable:

JavascriptSrc
Figure 4: The JavaScript code showing the download URL of the payload.

A registry key may be added; in this case it adds the Registry key HKEY_CURRENT_USER\Software\Locky in the infected system.

RegistryKey
Figure 5: Registry key added by Locky Ransomware

The malware connects to its Control servers that are hardcoded in the code. It then reports back the infected systems information:

ControlServers
Figure 6: Malware code showing the Command and control communication routine

The Locky ransomware looks for list of file extensions in the infected system's hard drive and then encrypt those files:

FindandDecrypt
Figure 7: The code routine where Locky looks for files to encrypt
 

.3g2

 

.3gp

 

.7z

 

.ARC

 

.NEF

 

.PAQ

 

.aes

 

.asf

 

.avi

 

.bak

 

.bat

 

.bmp

 

.c

 

.cgm

 

.class

 

.cmd

 

.djv

 

.djvu

 

.fla

 

.flv

 

.gif

 

.gpg

 

.gz

 

.jar

 

.java

 

.jpeg

 

.jpg

 

.m3u

 

.mid

 

.mkv

 

.mov

 

.mp3

 

.mp4

 

.mpeg

 

.mpg

 

.png

 

.psd

 

.qcow2

 

.rar

 

.raw

 

.rb

 

.sh

 

.svg

 

.swf

 

.tar

 

.tar.bz2

 

.tbk

 

.tgz

 

.tif

 
 

.tiff

 

.vdi

 

.vmdk

 

.vmx

 

.vob

 

.wav

 

.wma

 

.wmv

 

.zip

 

Figure 8: List of file extensions that Locky ransomware encrypts

The malware renames the encrypted files to a random name and uses .locky as the file extension.

LockyEncryptedFile

Ransom notes are dropped in every encrypted file's folder and the desktop background is also replaced with a ransom note image.

Ransomnote

A unique webpage is generated for each victim that can only be accessed through Tor anonymous browser. This page contains a bitcoin payment setup where the victim could pay for a decrypter tool.

TorPageRansom
Conclusion

Blocking these mass spam attacks at the email gateway is important. In a way, apart from the huge volumes and the ransomware payload, these malicious spam campaigns are not new. It's the same botnet, different day, and different payload. Our Trustwave Secure Email Gateway is currently proving very effective against these campaigns. All layers, including the various anti-spam and anti-malware layers, play a part.

For those wanting extra protection, also carefully consider your inbound email policy:

  • Blocking inbound .js attachments at the gateway
  • Blocking inbound Office documents with macros at the gateway.

While these steps might seem very strict, some companies have opted for them, at the same time as considering alternative ways to pass valid .js and macro documents into the organisation.

And of course your last line of defense against ransomware infection is always having an up to date and good backup process.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.