Nemucod downloader accelerates Locky ransomware distribution


Emails with zipped file attachments containing the Nemucod payload are spreading globally – this malicious downloader will install TeslaCrypt or, more likely, Locky ransomware on target machines.

Security vendor ESET is warning that it has picked up an ‘unusually high incidence’ of Nemucod infected emails across Europe, North America, Australia and Japan.

The emails themselves exploit the old social engineering chestnut of transferring trust by authority, typically claiming to be notices of court appearances or other official documents. The ‘your invoice is attached’ trick is also played by Nemucod distributors, safe in the knowledge that many recipients will open these even when (often directly because) the vendor is unknown to them.

The zipped documents actually contain a JavaScript file that downloads and installs Nemucod. This, in turn, then delivers whatever malicious downloads it has been programmed so to do. Currently, ransomware in the guise of Locky and TeslaCrypt seems to be the malware of choice.

Locky and TeslaCrypt seem to be the ransomware of choice

Following the almost inevitable discovery of coding flaws in TeslaCrypt, decryption tools have been widely developed. This might not be the good news it seems, however, as ransomware authors tend to release multiple variants to mitigate against such resources.

Locky, on the other hand, is on a big upward swing as it moves towards domination of the ransomware infection market. It has, according to Fortinet, already overtaken TeslaCrypt although has some way to go to catch up with CryptoWall. That said, Locky should not be underestimated.

Back in February, The Register warned that Locky was ‘spreading like the clap’ and, to be honest, nothing has changed much since. Apart from the delivery mechanism that is.

Locky was using Microsoft Word attachments and coaxing recipients into enabling document macros in order for the encryption payload to download. Now it has started using JavaScript-based attachments instead.

Called Locky, courtesy of the .locky file extension it uses when renaming encrypted files, the ransomware demands anything from 0.5 to 1.0 BTC (£150 to £300) for a decryption key.

Being a newer ransomware variation, victims can expect to find that Locky has removed any Volume Snapshot Service shadow copy files and encrypted files on all mounted drives, including removable drives and network shares regardless of the platform they are running on. It’s also using RSA-2048 and AES-128 ciphers, making decryption all but impossible without the purchased key. No code flaws have yet been uncovered.

As Paul Ducklin from Sophos says: “If you are logged in as a domain administrator and you get hit by ransomware, you could do very widespread damage indeed.”

Trustwave saw around 4 million malware spams in seven days

Trustwave researchers have tracked a huge increase in malware which it puts down to the ransomware downloader campaigns. “Our Spam Research Database saw around 4 million malware spams in the last seven days” it reports, “and the malware category as a whole accounted for 18% of total spam arriving at our spam traps.” That’s compared to a typical average of around 2%.

A graph plotting malware spam at Trustwave shows huge peaks, with 200,000 emails per hour hitting the servers in concentrated bursts rather than continuously. Interestingly, this research shows that the spam campaigns are actually coming from the exact same botnet that was previously responsible for the Dridex Trojan distribution. “The actors behind the campaigns have merely changed the delivery mechanism (.js attachment) and the end malware (ransomware),” Trustwave researchers explain.

Richard Beck, Head of Cyber Security at QA, warns that any business holding sensitive data is a prime target and when it comes to defending against these attacks a company’s defence strategy can’t rely on technology alone. “The human element is equally, if not more, important” Beck says. “Organisations have a duty of care to provide cyber protection through training, thereby minimising the chances of being the victim of an attack.”