“In the past 24 hours we have seen over 23 million messages sent in this [Locky Ransomware] attack, making it one of the largest malware campaigns that we have seen in the latter half of 2017,” researchers at AppRiver said.
How the Latest Locky Ransomware Works
Millions of workers who returned to work on Monday, August 28th, received an email with subject lines “please print”, “documents”, “photo”, “images”, “scans” and “pictures”.
The latest Locky strain was reported last August 17th this year by researchers at Fortinet. The latest strain uses “.lukitus”, which means “locking” in Finnish, as the extension for the encrypted files. Rommel Joven, one of the Fortinet researchers who discovered the latest Locky variant, tweeted last August 17th that this variant is the second modification of Locky in over a week.
Last August 14th, Fortinet researchers identified the predecessor of the Lukitus Locky variant called “Diablo6”, named after the “.diablo6” extension to its encrypted files.
“It’s still too early to say if this campaign signals the start of Locky diving back into the ransomware race or if it is just testing the waters,” Fortinet researchers said about the Diablo6 Locky variant. This variant similarly spreads through spam emails – each containing a VBS attachment. Once clicked, the VBS file downloads the Locky variant from a compromised URL or webpage.
History of Locky Ransomware
Locky’s notoriety rose when it victimized an American hospital in early February 2016. The hospital publicly acknowledged (PDF) that it was a victim of a malware that locked access to certain hospital computers by encrypting the files and demanding ransom payment worth 40 Bitcoins (equivalent to $17,000 at that time) for the decryption key. The hospital said that it paid $17,000 as it was the “quickest and most efficient way to restore our systems and administrative functions”.
According to Fortinet researchers, from February 19, 2016 to September 15, 2016, Locky’s total hits reached 36,314,789, mostly affecting computer users in the U.S., France, Japan, Kuwait, Taiwan and Argentina.
Modifications of Locky ransomware aren’t limited to the Lukitus and Diablo6 variants. In its more than a year existence into the wild, creators of Locky ransomware periodically make changes to this malicious software. Aside from “.lukitus”, “.diablo6”, Locky’s creators also used “.locky”, “.zepto” and “.odin” as names of extension to its encrypted files.
Different variants of Locky were spread in 2 ways: 1) spam emails and 2) compromised websites.
- ATTN: Invoice J-12345678
- Invoice IN00000160V00008647772
- Your Order
- Please sign
- Scanned image from MX-2600N
An email with the subject line “Scanned image from MX-2600N” may look innocent enough. But the use of such subject line is a product of a sophisticated campaign – a plan to mislead many employees into clicking the spam email.
The term “MX-2600N” is actually the most popular model of Sharp scanner/printer that’s used by many offices. Many employees use this model to scan documents and email them to themselves or other people. So, when they see an email with the subject “MX-2600N”, they’re tricked into thinking that they’re opening an email that they’ve sent to themselves.
According to Fortinet researchers, Locky’s spam email campaigns in the past contained the following attachments:
How to Prevent Locky Ransomware Attacks
1. Use Up-to-Date Browser and Software
“Using up-to-date browser and software remains to be the most effective mitigation against exploit kits,” Microsoft said. “Upgrading to the latest versions and enabling automatic updates means patches are applied as soon as they are released.
2. Exercise Caution When Opening Emails and Attachments
Be wary about opening emails from unknown senders. When in doubt about an email, ignore it, delete it and never open attachments or click on URLs.