Locky ransomware continues to evolve as it changes the type of attachment it uses to infect a victim’s system, researchers said.
The most effective transmission of ransomware goes out via spam emails and Locky goes out using different types of attachments, said researchers at Trend Micro.
Trend Micro said in the past 71 percent of known ransomware families arrive via email.
Email is a solid method for malware delivery and is effective when targeting enterprises and small and medium businesses (SMBs). Locky’s operators have been using this delivery method from the beginning, but they switched between various types of email attachments to ensure increased efficiency for their attacks.
The continuous switch between email attachments contributed to Locky’s prevalence, researchers said in a blog post.
“The first two months of the year, we spotted a spike in the use of .DOC files in spam emails. DRIDEX, an online banking threat notable for using macros, was, at one point, reported to be distributing Locky ransomware. From March to April, we saw a spike in the use of .RAR attachments, which is also attributed to Locky,” researchers said.
Most recently, Locky was seen using DLLs and .HTA file attachments for distribution.
“Due to the continuous changes in the use of various file attachments, we suspect that the perpetrators behind Locky will use other executable files such as .COM, .BIN, and .CPL to distribute this threat,” the researcher said.
Because many of these file types aren’t normally used to deliver malware, cybercriminals can more easily avoid detection.
“To block spam emails with JS, VBScript, WSF and HTA attachments, companies should use email solutions with different anti-spam filters such as heuristics and fingerprint technology. In addition, solutions with blacklisting mechanism can block known malicious sender IPs. To detect macro downloaders by Locky and Cerber, email solutions should have macro scanning feature that can detect any malicious macro components of threats,” researchers said.