Two new Locky ransomware spam campaigns have been detected this month, each being used to spread a new variant of the cryptoransomware. The campaigns have been launched after a relatively quiet period for ransomware attacks, although the latest campaigns show that the threat of ransomware attacks in never far away.
Previously, Locky ransomware spam campaigns have been conducted using the Necurs botnet – one of the largest botnets currently in use. One of the campaigns, spreading the Locky variant Lukitus is being conducted via Necurs. The other campaign, which is spreading the Diablo Locky variant, is being sent via a new botnet consisting of more than 11,000 infected devices. Those devices are located in 133 countries according to Comodo Threat Research Labs. The botnet appears to have been built quickly and is understood to be growing, with most infected devices in Vietnam, India, Mexico, Turkey and Indonesia.
The failure to backup files is likely to prove costly. The ransom demand issued by the attackers ranges between 0.5 and 1 Bitcoin per infected device – approximately $2,150 to $4,300 per machine. There is still no decryptor for Locky ransomware. Victims face file loss if they do not have a viable backup to restore files. Locky ransomware variants remove Shadow Volume Copies to hamper recovery without paying the ransom.
The Diablo Locky variant renames encrypted files with a unique 16-character file name and adds the diablo6 extension, while the Lukitus variant adds the .lukitus extension.
The two new Locky ransomware spam campaigns differ in their method of delivery of the ransomware, although both involve spam email. The Diablo campaign, which started on August 9, uses various attachments including pdf, doc, and docx files, although infection occurs via malicious macros.
Opening the infected documents will present the user with indecipherable data and a prompt to enable macros to view the content of the document. Enabling macro saves a binary to the device, runs it, and downloads the Locky payload.
The email subjects in this campaign are varied, although in many of the emails the attackers claim the attachment is a missed invoice or purchase order.
The Lukitus campaign was first detected on August 16 and has been mostly used in attacks in the United States, UK, and Austria, although there have also been successful attacks in Italy, Sweden, China, Russia, Botswana, Netherlands and Latvia.
This campaign uses zipped (zip and rar) attachments. The zip files contain JavaScript files, which if run, will download the Lukitus Locky variant.
As with all ransomware attacks via spam email, the best defense is an advanced spam filter to block the emails and prevent them from being delivered to end users. Employees should already have been trained on the threat from ransomware. Now would be a good time to issue a reminder via email to all employees of the current threat.
Recovery without paying the ransom depends on viable backup copies existing. Since Locky can encrypt backup files, backup devices should be disconnected after a backup has been made. Organizations should also ensure three copies of backups exist, on two different media, with one copy stored off site – the 3-2-1 approach to backing up.