Monday, February 17, 2025
HomeRansomwareBeware!! Dangerous Locky Ransomware Now Spreading through Microsoft Office Word Documents

Beware!! Dangerous Locky Ransomware Now Spreading through Microsoft Office Word Documents

Published on

SIEM as a Service

Follow Us on Google News

Locky Ransomware has a piece of a history of going silent and growing back all of a sudden.It is evolving again and spreading via Microsoft Office Word documents.

Locky Ransomware

A new wave of locky spreading through Office word documents and well as Libra office documents and the attachment looks like below.

Security researchers from Avira detected this new variant, which tricks the user into clicking the malicious file which and thereby locky will execute and your files will be encrypted and it changes to extension .asasin.

Files are being encrypted using RSA-2048 and AES-128 ciphers, and the private key available only with their servers and they are providing a .onion website which is opened in TOR for further communications. according to the following image.

Locky Ransomware

Also Read: Important Security practices for users to Open Microsoft Office Documents Securely

How Locky Executes

The image in the document linked to run a PowerShell script, which tends to download another script from using Invoke-Expression which runs specific string as a command and return backs the expression.

Then the second script executes and downloads the executable dropper into %temp% folder compiled with Microsoft VC 2013 and multiple layers obfuscation to trick the victims and from security to make the reversing process tedious.

Also Read: Everything you Need to Know About The Evolution of LockyRansomware.

Avira researchers found multiple unwanted strings including the one for system32\calc.exe, by including multiple strings attacker tries to mislead the victims and make them think as the legitimate file.

Once it’s made a new process it copies to “svchost.exe” and delete the first executable by creating a new process and then it will gather information about operating systems.

Then later it passes information encrypted to the C&C servers along with the extent to retrieve the private key.

Prevention Tips for Locky Ransomware 

  • Most of the trusted antimalware solutions have found quipped with signatures to detect and stop the execution of Locky ransomware.
  • As maldoc is found to be the source of some of the Locky infection, it is advisable to disable the usage of macros in Microsoft Office applications (MS-Word).
  • A rule can be created for email gateway devices which can generate alerts upon receipt of attachment with MS-Office extensions (xls|xlsx, doc|docx, ppt|pps etc.) from unknown sources and/or found with binary contents.
  • Block the IP, URLs, file hashes that have identified in connection with the campaigns and spreading malware. Please refer the attachment IOCs – Locky Ransomware.xlsx for details.
  • Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
  • Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.
Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Android’s New Security Feature Prevents Sensitive Setting Changes During Calls

Phone scams are becoming more sophisticated with advancements in AI-driven speech tools, making it...

Hackers Exploit Microsoft Teams Invites to Gain Unauthorized Access

The Microsoft Threat Intelligence Center (MSTIC) has uncovered an ongoing and sophisticated phishing campaign...

Meta’s Bug Bounty Initiative Pays $2.3 Million to Security Researchers in 2024

Meta's commitment to cybersecurity took center stage in 2024 as the tech giant awarded...

Google Chrome Introduces AI to Block Malicious Websites and Downloads

Google has taken a significant step in enhancing internet safety by integrating artificial intelligence...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Palo Alto Firewall Flaw Exploited in RA World Ransomware Attacks

A recent ransomware attack leveraging a vulnerability in Palo Alto Networks' PAN-OS firewall software...

ZeroLogon Ransomware Exploits Windows AD to Hijack Domain Controller Access

A newly intensified wave of ransomware attacks has surfaced, leveraging the infamous ZeroLogon vulnerability...

Cl0p Ransomware Hide Itself on Compromised Networks After Exfiltrate the Data

The Cl0p ransomware group, a prominent player in the cybercrime landscape since 2019, has...