New Email Campaign Sends Locky Ransomware to Millions of Users

Researchers from two security firms have independently spotted two mass email campaigns, spreading two different, but new variants of the Locky ransomware.

Lukitus Campaign: Sends 23 Million Emails in 24 Hours
The campaign found by researchers at AppRiver sent out more than 23 million messages containing the Locky ransomware, in just 24 hours on 28 August across the United States, in what appears to be one of the largest malware campaigns in the second half of this year.

According to the researchers, the emails sent out in the attack were “extremely vague,” with subjects lines such as “please print,” “documents,” “images,” “photos,” “pictures,” and “scans” in an attempt to convince victims into infecting themselves with Locky ransomware.
The email comes with a ZIP attachment that contains a Visual Basic Script (VBS) file nested inside a secondary ZIP file.

Once a victim is tricked into clicking it, the VBS file starts a downloader that downloads the latest version of the Locky ransomware, called Lukitus (which means “locked” in Finnish), and encrypts all the files on the target computer, and appends [.]lukitus to the encrypted data.

After encryption process ends, the malware displays a ransomware message on the victim’s desktop that instructs the victim to download and install the Tor browser and visit the attacker’s site for further instructions and payments.

This Locky Lukitus variant demands a sum of 0.5 Bitcoin (~$2,300) from victims to pay for a “Locky decryptor” in order to get their files back.

The Lukitus attack campaign is still ongoing, and AppRiver researchers had “quarantined more than 5.6 million” messages in the campaign on Monday morning alone.
This variant is impossible to decrypt as of now.

The 2nd Locky Campaign Sends over 62,000 Emails

In a separate research, the security firm Comodo Labs discovered another massive spam campaign earlier in August, which sent out over 62,000 spam emails containing a new variant of Locky ransomware in just three days in the first stage of the attack.

Dubbed IKARUSdilapidated, the second variant of Locky ransomware has been distributed using 11,625 different IP addresses in 133 different countries—likely made of a botnet of “zombie computers” to conduct coordinated phishing attacks.

According to researchers at Comodo, “this is a large-scale, email-based ransomware attack in which a new Trojan malware variant appears as an unknown file and can slip into unsuspecting and unprepared organizations’ infrastructures.”The original attack that was first identified on August 9 and lasted three days utilized spam email messages that also contained a malicious Visual Basic Script (VBS) attachment, which if clicked, follows the same functioning as mentioned in the first case.

The cyber criminals operating Locky’s IKARUSdilapidated variant demands ransom between 0.5 Bitcoin (~$2,311) and 1 Bitcoin (~$4,623) to get their encrypted files back.

This massive Locky ransomware campaign targets “tens of thousands” of users across the globe, with the top five countries being Vietnam, India, Mexico, Turkey, and Indonesia.

Ransomware has become one of the biggest threats to both individuals and enterprises with the last few months happening several widespread ransomware outbreaks, including WannaCry, NotPetya, and LeakerLocker.

As of right now, there is no decryptor available to decrypt data locked by above Locky ransomware variants, so users are strongly recommended to follow prevention measures in an attempt to protect themselves.

Beware of Phishing emails: Always be suspicious of uninvited documents sent via an email and never click on links inside those documents unless you verified the source.

Backup Regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.

Keep your Antivirus software and system Up-to-date: Always keep your antivirus software and systems updated to protect against latest threats.