lolloj - Fotolia

How does the Locky ransomware file type affect enterprise protection?

Locky ransomware has, again, changed tactics by moving to using LNK files for distribution. Expert Nick Lewis explains how enterprises can adjust protections for this shift.

Locky ransomware was discovered to be using a domain generation algorithm in its code, and now it has evolved yet again. This time, security researchers have found Locky ransomware moving away from WSF documents in phishing emails to shortcut LNK files. Microsoft says this can help phishing emails evade detection. What's the difference between the two file types, and how should security teams adjust to the changes in Locky?

Locky ransomware has made several changes in its operations in response to defenses implemented by enterprises to block it. The malware authors and ecosystem are motivated to keep making money by infecting new endpoints. The malware authors know that most endpoints and users have common vulnerabilities, so they will only need to get to the stage where the user opens an attachment from their email.

The Windows Script File (WSF) type, which Locky previously used to distribute the Nemucod malware, can be used to run JScript or VBScript. LNK files are shortcuts to executables -- Locky uses LNK files that contain PowerShell command line arguments to download the malware. Organizations that had been scanning or blocking WSF files to stop the ransomware may not be doing the same for LNK files.

Locky ransomware continues to be distributed using spam. Security teams should ensure their security controls block spam, phishing and malicious attachments, as well as that they inspect ZIP files to see if they contain LNK files, and to block them if so.

Enterprises may even want to start whitelisting the attachments that they allow, as well as ensuring that their antispam and phishing tools have the functionality to check the allowed file types for macros or other malicious code. Microsoft also recommends disabling macros completely for Office. 

Next Steps

Learn about the growth of ransomware and other types of malware

Find out why healthcare data is at such high risk of ransomware attacks

Discover how to remove obfuscated macro malware from your systems

This was last published in March 2017

Dig Deeper on Threats and vulnerabilities