The Locky ransomware is continuing its resurgence, with a second wave of new but related attacks that build on a variant uncovered in early August.
A few weeks ago, Locky changed its encryption extension to .lukitus, which means "locked" in Finnish. That variant is still impossible to decrypt, according to Heimdal Security, and was seen to be part of a set of malicious spam waves that are hitting users one after the other.
A fresh late August campaign uses what Comodo Labs has dubbed the IKARUSdilapidated version of Locky, which still has the .lukitus extension. It spreads using a botnet of zombie computers responsible for coordinating a phishing attack.
There have so far been two waves in the attack. In the first, emails appeared to be from an organization’s scanner/printer (or other legitimate source). When successful, it encrypted the victims’ computers and demanded a bitcoin ransom.
“As many employees today scan original documents at the company scanner printer and email them to themselves and others, this malware-laden email will look very innocent,” said Comodo, in an analysis sent to Infosecurity. “The sophistication here includes even matching the scanner/printer model number to make it look more common as the Sharp MX2600N is one of the most popular models of business scanner/printers in the market.”
The second wave consisted of a French-language email purportedly from the French post office, featuring a subject including the term “FACTURE”).
“In contrast to the initial 2017 IKARUSdilapidated Locky campaign which distributed malware with the .diablo extension and a script that is a Visual Basic Script (and has a ".vbs" extension), both new attacks have interesting variations to fool users with social engineering, and to fool security administrators and their machine learning algorithms and signature-based tools,” Comodo said.
It’s clear that Locky is back, after laying low for a few months (with some exceptions). In the initial August campaign, AppRiver said that it saw more than 23 million messages sent within a 24-hour period, making it one of the largest malware campaigns seen in the latter half of 2017.
Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/