New Locky Ransomware Tactic Could Fool Sandboxes

The Locky ransomware scourge continues with the news that it has developed a new technique to evade detection.

It now relies on a simple, yet effective user interaction, as the malicious Word document that carries instructions to download and run Locky only triggers when the user closes the document (not only by enabling macros).

It comes after Locky ransomware was discovered in April to be hiding behind Word documents, which in turn lurks behind a PDF email attachment in another effort to avoid detection.

Sandbox Evasion

The discovery of this new devious evasion technique was made by Malwarebytes researchers Marcelo Rivero and Jérôme Segura, who describe the new tactic as an ‘anti sandbox feature’ in a blog post.

Locky ransomware is traditionally spread by spam emails. It is usually triggered when the user downloads an infected Word or Excel file, and the user is social engineered into enabling macros.

But now the malicious Word document that carries instructions to download and run Locky only triggers when the user closes it – a natural user reaction.

This means that sandboxes that auto analyse malicious samples are likely to miss it completely because they would not ‘think’ of closing the document.

“Malware authors have used booby trapped Office documents containing macros to retrieve their payloads for some time, but ordinarily, the code executes as soon as the user clicks the ‘Enable Content’ button,” the researchers warned. “For analysis purposes, many sandboxes lower the security settings of various applications and enable macros by default, which allows for the automated capture of the malicious payload.”

“However, this particular Locky campaign no longer simply triggers by running the macro itself but waits until the fake Word document is closed by the user before it starts to invoke a set of commands.”

Once this is done, the payload is downloaded and launched.

“While not a sophisticated technique, it nonetheless illustrates the constant cat and mouse battle between attackers and defenders,” said the researchers. “We ascertain that in their current form, the malicious documents are likely to exhibit a harmless behaviour in many sandboxes while still infecting end users that would logically close the file when they realise there is nothing to be seen.”

Ransomware Threats

Google in July warned that the scourge of ransomware is here to stay, after a new report  found that ransomware had become a profitable venture for criminal gangs in the past year and a half.

According to the Google research, ransomware now regularly makes more than $1m (£761,500) a month for its creators. And in the past two years, criminal gangs have made at least $25m (£19m) in total from ransomware. It said that since 2016, ransomware search queries had risen by 877 percent.

Ransom payments (typically in bitcoins) are often moved across multiple wallets by criminals, who then sell the bitcoins for cold hard cash at an exchange.

Indeed, more than 95 percent of bitcoin payments for ransomware were cashed out at Russia’s BTC-e exchange.

Quiz: What do you know about cyber security in 2017?