Locky ransomware

Massive Locky Ransomware Campaign Attempts to Infect Millions of Computers in 24 Hours

Locky is the first ransomware to make $1 million per month based on a Google-led study (PDF). After lying low in the first half of 2017, this notable ransomware made a massive comeback last August 28th, unleashing 23 million malicious emails in just 24 hours.
“In the past 24 hours we have seen over 23 million messages sent in this [Locky Ransomware] attack, making it one of the largest malware campaigns that we have seen in the latter half of 2017,” researchers at AppRiver said.
How the Latest Locky Ransomware Works
Millions of workers who returned to work on Monday, August 28th, received an email with subject lines “please print”, “documents”, “photo”, “images”, “scans” and “pictures”.
Lucky email screen

Image: AppRiver
​Each email comes with a ZIP attachment containing a Visual Basic Script (VBS) file. Once opened, this VBS file initiates the downloading of the latest version of Locky ransomware. All the files on the infected computer are then encrypted –conversion of computer data into ciphertext, a data form that can only be read using a decryption secret key or password. After the data encryption, victims are instructed to install the TOR browser and provided with a .onion, also known as dark web site. Below is the screencap of the dark web site.
Locky decrypt

Image: AppRiver
​The dark web site shows a victim how to purchase Bitcoins. It also tells the victim to send .5 Bitcoin – equivalent to a staggering $2,381 – to a certain Bitcoin address as payment to supposedly unlock the encrypted files.
The latest Locky strain was reported last August 17th this year by researchers at Fortinet. The latest strain uses “.lukitus”, which means “locking” in Finnish, as the extension for the encrypted files. Rommel Joven‏, one of the Fortinet researchers who discovered the latest Locky variant, tweeted last August 17th that this variant is the second modification of Locky in over a week.
Last August 14th, Fortinet researchers identified the predecessor of the Lukitus Locky variant called “Diablo6”, named after the “.diablo6” extension to its encrypted files.
“It’s still too early to say if this campaign signals the start of Locky diving back into the ransomware race or if it is just testing the waters,” Fortinet researchers said about the Diablo6 Locky variant. This variant similarly spreads through spam emails – each containing a VBS attachment. Once clicked, the VBS file downloads the Locky variant from a compromised URL or webpage.

History of Locky Ransomware

​Locky ransomware was first distributed into the wild in early February 2016. Based on the Google-led study, Locky was the highest grossing ransomware in 2016, earning a total of $7.8 million.
Locky’s notoriety rose when it victimized an American hospital in early February 2016. The hospital publicly acknowledged (PDF) that it was a victim of a malware that locked access to certain hospital computers by encrypting the files and demanding ransom payment worth 40 Bitcoins (equivalent to $17,000 at that time) for the decryption key. The hospital said that it paid $17,000 as it was the “quickest and most efficient way to restore our systems and administrative functions”.
According to Fortinet researchers, from February 19, 2016 to September 15, 2016, Locky’s total hits reached 36,314,789, mostly affecting computer users in the U.S., France, Japan, Kuwait, Taiwan and Argentina.
Modifications of Locky ransomware aren’t limited to the Lukitus and Diablo6 variants. In its more than a year existence into the wild, creators of Locky ransomware periodically make changes to this malicious software. Aside from “.lukitus”, “.diablo6”, Locky’s creators also used “.locky”, “.zepto” and “.odin” as names of extension to its encrypted files.
Different variants of Locky were spread in 2 ways: 1) spam emails and 2) compromised websites.

Spam Emails

One of the main paths of Locky infection is through spam email campaigns. The following are some of the subject lines used in spam emails to the spread the Locky ransomware:

  • ATTN: Invoice J-12345678
  • Invoice IN00000160V00008647772
  • Your Order
  • Please sign
  • Scanned image from MX-2600N

An email with the subject line “Scanned image from MX-2600N” may look innocent enough. But the use of such subject line is a product of a sophisticated campaign – a plan to mislead many employees into clicking the spam email.
The term “MX-2600N” is actually the most popular model of Sharp scanner/printer that’s used by many offices. Many employees use this model to scan documents and email them to themselves or other people. So, when they see an email with the subject “MX-2600N”, they’re tricked into thinking that they’re opening an email that they’ve sent to themselves.
According to Fortinet researchers, Locky’s spam email campaigns in the past contained the following attachments:

  • Spam email containing an attached JavaScript, MS Office Macro downloader or Windows Script File
  • Spam email containing an attached JavaScript or Microsoft Office Macro downloader
  • Spam email containing an attached JavaScript downloader
  • Spam email containing an attached JavaScript or HTA downloader

Compromised Websites

​The other attack path used by Locky ransomware is via compromised websites that redirect to Nuclear or Neutrino Exploit Kit. Unlike in a malicious email campaign whereby the victim has to open an email and click on the attachment, an exploit kit like Nuclear or Neutrino doesn’t require added action from the end user. An exploit kit works like a ghost while a potential victim is browsing a compromised website. In the case of Locky ransomware, the exploit kit acts as the distributor of the malware to the victim’s computer. 

How to Prevent Locky Ransomware Attacks

Here are some of the ways to block Locky ransomware attacks:

​1. Use Up-to-Date Browser and Software

“Using up-to-date browser and software remains to be the most effective mitigation against exploit kits,” Microsoft said. “Upgrading to the latest versions and enabling automatic updates means patches are applied as soon as they are released.
2. Exercise Caution When Opening Emails and Attachments
Be wary about opening emails from unknown senders. When in doubt about an email, ignore it, delete it and never open attachments or click on URLs. 
When you need help protecting your infrastructure and your data, connect with our team and we will be more than happy to help.