Two new Locky ransomware spam campaigns have been witnessed this month, each being used to distribute a new variant of the cryptoransomware. The campaigns have started after a relatively quiet period for ransomware campaigns, although the most recent campaigns show that the threat of ransomware attacks is always at hand.
before, Locky ransomware spam campaigns have been carried out using the Necurs botnet – one of the largest botnets presently at use. One of the campaigns distributing the Locky variant Lukitus is being conducted via Necurs. The other one, which is distributing the Diablo Locky variant, is being shared through via a new botnet consisting of more than 11,000 infected devices. Those devices are in locations in 133 countries according to Comodo Threat Research Labs. The botnet appears to have been constructed quickly and is understood to be getting bigger, with most infected devices in Vietnam, India, Mexico, Turkey and Indonesia.
The failure to backup files is likely to be an expensive action. The ransom demand issued by the hackers ranges between 0.5 and 1 Bitcoin per infected device – around $2,150 to $4,300 per machine. There is still no decryptor available for Locky ransomware. Victims face file loss if they do not have an adequate backup to restore files. Locky ransomware variants delete Shadow Volume Copies to hamper recovery without paying the ransom.
The Diablo Locky variant retitles encrypted files with a unique 16-character file name and adds the diablo6 extension, while the Lukitus variant installs the .lukitus extension.
The two new Locky ransomware spam campaigns contrast in their style of delivery of the ransomware, although both involve spam email. The Diablo campaign, which began on August 9, uses various attachments including pdf, doc, and docx files, although infection takes place through malicious macros.
Opening the infected documents will display indecipherable data to the user and a prompt to enable macros to view the see of the document. Enabling macro saves a binary to the device, runs it, and delivers the Locky payload.
The email subjects in this campaign are different, although in many of the emails the hackers claim the attachment is a missed invoice or purchase order.
The Lukitus campaign was first seen on August 16 and has been mostly implemented in attacks in the United States, UK, and Austria, although there have also been successful campaigns conducted in Italy, Sweden, China, Russia, Botswana, Netherlands and Latvia to name but a few countries..
This campaign uses zipped (zip and rar) files. The zip files contain JavaScript files, which if run, will add the Lukitus Locky variant to the device in question.
As with all ransomware attacks conducted using spam email, the best defense is an advanced spam filter to block the emails and stop them from being sent to end users. Staff should already have been trained on the threat from ransomware. Now would be an ideal good time to send a reminder via email to all employees of the current danger.