Locky has stepped back from running in an offline-only mode, as Locky affiliates transition back to including Command and Control (CnC) information in their configuration, with an accompanying drop in the number of affiliates working in an offline-only mode.
“Maybe it didn’t work out as well as expected for them. Or they were just too curious about the number of successful infections,” said Moritz Kroll, malware specialist in the Avira Protection Labs.
Spreading a Locky configuration that does not require a CnC connection is a two-edged sword for cybercriminals. On one hand, by not giving CnC information – and an IP address – it lets the Locky network keep out of sight from law enforcement and security researchers. But on the other hand, it reduces the feedback the cybercriminals can collect on the effectiveness of individual Locky distribution campaigns run by their affiliates.
“From September 16, Affiliate 13 was the first to again contain CnC information in the configuration, while Affiliates 1 and 3 were still in offline-only mode. Then on September 19, we saw Affiliates 1 and 5 also come back with CnCs. At the present time, only Affiliates 3 and 21 seem to still be following the new autopilot paradigm,” explained Kroll.
When Locky is on autopilot, the network communication elements have been disabled, enabling the ransomware to encrypt victim files without directions from its CnC centers and to better hide from researchers.
Affiliate networks are a key link to the growth of Ransomware as a Service (RaaS), with affiliates being paid when the victims pay the ransom demanded. While networks are often customized to a specific segment or product, the same basic principle applies: “If you provide the traffic/installs, you get money for that – whether it is ransomware, PUA, or adware,” he added. “Your affiliate ID identifies you, so they know who gets the money.”