August Locky Blitz Hits Healthcare Organizations

Written by

August has seen a major new wave of Locky ransomware attacks targeting healthcare organizations in the US, Japan and elsewhere, according to FireEye.

The security vendor claimed to have spotted “a few massive email campaigns” distributing the notorious ransomware this month.

Healthcare was by far the worst hit, accounting for over 75% of total detections, followed by a long tail including telecoms, transport, manufacturing and many more.

The United States was the most targeted country, followed by Japan and South Korea.

“Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August. This marks a change from the large campaigns we observed in March, where a JavaScript based downloader was generally being used to infect systems,” explained threat researcher Ronghwa Chong, in a blog post.

“These detection spikes and change in tactics suggest that the cyber-criminals are investing more to infect systems and maximize their profits. Additionally, we have observed that the delivery of Dridex via this distribution channel seems to have stopped, or nearly so, which could explain why we are seeing the Locky uptick.”

The stats highlight the ever-changing tools and techniques being used by cyber-criminals to make their campaigns more effective.

Worryingly, it appears the ransomware threat is as big as ever: Chong argued that it has now become more lucrative than even banking trojans.

In fact, Locky became the number one email-borne threat in the second quarter, overtaking Dridex, according to Proofpoint.

The vendor’s latest Threat Summary revealed that 69% of email attacks using malicious attachments featured the ransomware variant, versus 24% in the first quarter.

That same report claimed that CryptXXX was the major player in terms of exploit kits (EKs), although EK traffic dropped by 96% between April and mid-June.

New variants are appearing all the time. Just this week a version of Hidden Tear was found masquerading as a Pokemon Go app, designed to target Arabic speakers.

What’s hot on Infosecurity Magazine?