Malware gets multiple updates as it tries to evade detection by security companies.
Researchers have catalogued the changes made to one of the most common pieces of ransomware over the course of this year, showing how sophisticated the development of such tools has become.
Ransomware has become one of the biggest menaces on the internet: one analysis puts the total cost of the file-encrypting malware at $1bn for the whole year. Cyber-criminals have found that encrypting someone’s files, usually by tricking them into clicking on a malicious attachment, and forcing them to pay a ransom to regain access can be extremely lucrative.
However, as law enforcement and security companies are increasingly targeting ransomware, the developers of the malware also have to adapt.
Researchers at security company Forcepoint have listed the changes to Locky, one of the most common pieces of crypto-ransomware.
Once hit by ransomware, users’ files are held to ransom until payment is made: Locky requires users to pay using the Bitcoin currency, which helps to hide the Locky affiliates’ identities from law enforcement. Typically the amount requested is between 0.5 to 1 Bitcoin, somewhere around $400 to $800.
Security company Check Point said Locky was the second most prevalent piece of malware worldwide in November, and there appear to be several different groups who use and distribute unique builds of Locky.
On February 15, the first samples of Locky were seen, but since then the malware has grown in functionality – for example it can now display its ransom request in 30 different languages from Finnish to Vietnamese.
By June, Locky had added anti-analysis tricks aimed at frustrating automated security tools and started using new file extensions.
In July it added support for offline encryption using embedded RSA keys, in case the malware is unable to communicate with its command and control structure. In early September, some Locky samples stopped using command and control altogether, instead relying solely on the offline encryption mode. Later in the month, one of the groups trying to spread Locky started to use a new trojan downloader, which had first been advertised on Russian underground forums at the beginning of September.
Carl Leonard, principal security analyst at Forcepoint, said Locky has been a growing menace in 2016, thanks to its constantly changing distribution techniques.
It’s unknown who is behind the malware, but researchers speculate that it could be one individual or a very small team, perhaps two or three people. Whoever is behind it, the developers update the software to evade security tools, he said.
“Locky is sophisticated in as far as the cryptography has been very well implemented. Most ransomware have flaws, however minor, in the way they implement the cryptography,” said Leonard.
“When we originally published their Domain Generation Algorithm (DGA) we saw them immediately stop distribution, modify their DGA to be more secure and less predictable, and then start up distribution again a few days later. They also frequently change their network traffic patterns, and implement anti-analysis features to evade security products,” he added.