A new variant of Locky ransomware is back, being pushed out to victims in a concerted email campaign. Security researchers have also discovered a variant of the ransomware that attempts to evade analysis by security firms using new approach.
It has been reported that a new wave of spam mails are circulating with common subject lines to spread variants of Locky ransomware. Reports indicate that over 23 million messages have been sent in this campaign. The messages contain common subjects like "please print", "documents", "photo", "Images", "scans" and "pictures". However the subject texts may change in targeted spear phishing campaigns.
The messages contain "zip" attachments with Visual Basic Scripts (VBS) embedded in a secondary zip file. The VBS file contains a downloader which polls to domain "greatesthits[dot]mygoldmusic[dot]com" (please do not visit this malicious website) to download variants of Locky ransomware.
If the system is infected by Locky all files are encrypted and string with random numbers with extension “ [.]lukitus” or “[.]diablo6” is appended to the encrypted files. It may be noted that earlier variants of Locky add extension “.locky” to the encrypted files. After encryption, desktop background is changed with instructions and a “htm” file with a name “Lukitus[dot]htm”. The instructions contain installation of TOR browser and visiting “.onion” sites and demanding ransom of “.5 Bitcoins”
Indicators of Compromise:
Block the below malicious domains/IPs at the perimeter:
Businesses and end users are advised to exercise caution while opening emails and organizations are advised to deploy anti spam solutions and update their AV engine. For further assistance contact our cyber security team.