Locky ransomware continues to bypass security
Hackers looking to plant Locky ransomware on victim's systems are using XOR obfuscation and reversing the bytes on the payloads to evade detection by network security tools.
Researchers at the firm recently observed a Locky distributor embarking on further efforts to make their ransomware more elusive and effective.
"These campaigns continue to demonstrate the trend of threat actors shifting delivery mechanisms and adding new layers of obfuscation and evasion to bypass security defences. In the example above, the initial payload was actually the RockLoader malware loader which then attempted to install Locky from a sophisticated command and control (C&C) architecture," researchers at Proofpoint said in a blog post.
XOR obfuscation disguises the code of the malicious ransomware as something that makes looks like it was part of the original binary code.
"Last week, though, we observed one Locky actor (affiliate ID 1) begin using XOR obfuscation and reversing the bytes on the payloads to evade detection by network security tools," said the researchers.
This technique has been proven to be fast and effective, which has made it a popular choice among threat actors.
"While this type of obfuscation can be particularly effective against network security products that primarily scan executables entering the network, they can also be used for sandbox evasion," they said.
The researchers recommended that users have layered forms of security to counteract the techniques of Locky, especially since it is harder than ever to be detected.
Digital document processes in 2020: A spotlight on Western Europe
The shift from best practice to business necessityDownload now
Four security considerations for cloud migration
The good, the bad, and the ugly of cloud computingDownload now
VR leads the way in manufacturing
How VR is digitally transforming our worldDownload now
Deeper than digital
Top-performing modern enterprises show why more perfect software is fundamental to successDownload now