14 DAY TRIAL // New versions of the Locky ransomware, the variants that are also known as Zepto ransomware, have changed their classic mode of operation and are now relying on more JavaScript code than ever before.
Locky is a ransomware variant that appeared at the start of the year and has constantly evolved. One of the things that have remained the same across all these months is its payload, which is a JavaScript file embedded inside a ZIP file that users receive via email.
This file usually contained something that security researchers call a downloader, a malicious component that downloaded the actual Locky ransomware binary and launched it into execution.
Locky devs are embedding the ransomware inside the JS file
According to researchers from Cyren, from July 20, a new wave of Locky infections started delivering the entire ransomware code inside the JavaScript file.
Researchers immediately noticed this change because of a jump in the ZIP file's size, which grew from a few KB to over 250 KB. Opening this JS file from the ZIP archive inside a code editor also shows a lot more code than before.
Researchers say that this code contains the actual Locky binary, which is reconstructed from the JavaScript code and saved on the user's OS when the JS file is executed.
"Embedding malware binaries in scripts has been around for years," Cyren's Maharlito Aquino points out, adding, "so it is not surprising to see Locky making use of this technique in delivering its ransomware component."
Only Locky's Zepto variant showcases this behavior
Once the Locky binary is saved in the user's Temp folder, it is also automatically launched into execution, starting the encryption process that locks the user's files.
“ Note: This doesn't mean that Locky is coded in JavaScript, the binary still being compiled from another programming language, but that instead of using a two-step infection stage, Locky is now delivered directly via the JS file. ”
As mentioned above, this particular version appends the .zepto extension at the end of all encrypted files. Some security firms have been tracking this wave of Locky ransomware under a separate name altogether, as the Zepto ransomware.At the end of June and start of July, Cisco security researchers noticed a huge spam wave (137,731 emails in four days) delivering Locky/Zepto ransomware. That particular wave still used the old ZIP-JS-downloader-Locky infection routine.
Locky also uses DOCM and WSF files as JS alternatives
Cyren has been diligently keeping a watchful eye on Locky distribution and infection methods in general.
The company has also noted other changes to Locky distribution, but not to Zepto variants. Among these is the usage of DOCM files, an alternative to DOC and DOCX, for infecting users via Word macros.
Additionally, the company has also remarked the usage of WSF files instead of JavaScript files, with WSF files being essentially another way of packaging and executing JavaScript code.
