This time, however, the Locky campaign is harnessing an infection technique associated with the Dridex botnet, in an effort to boost the chance of compromising targets.
As noted by cybersecurity researchers at PhishMe, this new form of Locky begins by using a familiar tactic -- a phishing email with an attached file the message claims is a document detailing a payment or scanned documents. But rather than the more common practice of attaching a compromised Office document, an infected-PDF is sent instead.
It's not the first time this technique has been used, with infected PDF documents commonly used to distribute the Dridex malware botnet. Cybersecurity researchers say Locky is leveraging PDF documents for one simple reason: more cyberattackers are exploiting Office macros to distribute malware, raising awareness of potential threats.
Upon opening the infected document, the victim is prompted to give the PDF reader permission to open a second file.
This second file is a Word document that asks for permission to run macros, which it uses to download the Locky ransomware. This two-step infection process is a simple evasion technique, but increases the chances of victims installing ransomware.
The Locky payload still operates much as it always has, seeking out and encrypting critical files on victims' machines and demanding a Bitcoin ransom in exchange for restoring the system.
One difference from previous Locky versions is that the ransomware asks victims to install the Tor browser in order to view the ransom payment site, which researchers suggest is down to Tor proxy services frequently being blocked and the burden of maintaining a dedicated Tor2Web proxy site.