Security experts are warning that the same infrastructure used to deliver the infamous Dridex banking trojan is now behind a major new email-based ransomware campaign.
The “Locky” ransomware variant is distributed via email attachments, specifically Word documents disguised as invoices. The docs contain macros which download and install the ransomware, security firm Proofpoint explained in a blog post.
What particularly piqued the interest of the researchers who discovered it was the fact that the botnet behind the spam mail is the same as that which delivers the majority of emails containing the infamous Dridex trojan.
It’s apparently also responsible for some non-Dridex malware including Ursnif, Shifu and ransomware variants Nymaim and TeslaCrypt.
The firm added that, just like Dridex, the actors behind Locky are “pushing the limits” of campaign size, with spam volumes rivaling the biggest Dridex campaigns ever seen.
“Coincidentally, the same day we tracked the large spam campaign, we also spotted Locky being distributed in a Neutrino thread usually spreading Necurs,” Proofpoint continued.
“When run on the same virtual machine, the document from both the Neutrino drop and the spam emails generate the same individual ID, point to the same Bitcoin wallet, and appear to use the same infrastructure. This can be explained either by a common actor or, more likely, by a distribution in affiliate mode.”
As for the ransomware itself, Locky is said to encrypt files based on their extension, and replaces the desktop background with the ransom message. Victims are told to visit one of a choice of .onion or tor2web links to buy Bitcoin, send them to a specific address, and wait for their decryptor download.
It’s not confirmed yet whether this will actually decrypt the victim’s files, however.
Interestingly, over the past few weeks, while the Dyre trojan has fallen silent those behind Dridex have been experimenting with new attack vectors, according to security researchers.