Through our TTE research, we learned that Locky and Cerber employ a limited number of file extension and MIME combinations to deliver malware through the web or by email. (See Figure 25.) We observed several combinations that included file content types related to Microsoft Word (msdownload, ms-word). However, the associated file extensions (.exe and .cgi) did not point back to a Word file. We also identified content types that pointed to malicious .zip files.

Both Locky and Cerber also appear to use new binaries frequently as an attempt to evade file-based detection. File ages for the Locky malware family are shown in Figure 26. The top half of the chart depicts the ages of files that were observed during a specific month. The bottom portion of the chart shows monthly changes in the volume of Lockyrelated hashes, both new and previously observed files.

In Figure 26, also note the decline in volume in June as well as the distribution of file ages. The Necurs botnet, which was known to deliver Locky, was taken down in June. This likely sidelined the malware authors’ efforts to keep the malware fresh during that month. However, it’s clear that they recovered quickly. By July, the malware had returned to its more standard mix of file ages with the majority (74 percent) being less than a day old when first detected.

The rapid cycling of binaries for this ransomware is not surprising. Instances of Locky and Cerber are often detected either on the same day they are introduced or within 1 to 2 days after, making it imperative for adversaries to evolve these threats continually if they want them to remain active and effective. (Figure 24, discussed earlier, shows that Cisco products detected both Locky and Cerber ransomware within the median TTD in 2016.)

Figure 27 shows the median TTD for Locky ransomware, which declined dramatically from about 116 hours in November 2015 to just under 5 hours in October 2016.

High