1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

9/1/2017

0 Comments

Massive Locky Ransomware Campaign Attempts to Infect Millions of  Computers in 24 Hours

 
Locky ransomware

Massive Locky Ransomware Campaign Attempts to Infect Millions of Computers in 24 Hours

Locky is the first ransomware to make $1 million per month based on a Google-led study (PDF). After lying low in the first half of 2017, this notable ransomware made a massive comeback last August 28th, unleashing 23 million malicious emails in just 24 hours.
 
"In the past 24 hours we have seen over 23 million messages sent in this [Locky Ransomware] attack, making it one of the largest malware campaigns that we have seen in the latter half of 2017," researchers at AppRiver said.
 
How the Latest Locky Ransomware Works
Millions of workers who returned to work on Monday, August 28th, received an email with subject lines “please print”, “documents”, “photo”, “images”, “scans” and “pictures”.
Lucky email screen
Image: AppRiver
​Each email comes with a ZIP attachment containing a Visual Basic Script (VBS) file. Once opened, this VBS file initiates the downloading of the latest version of Locky ransomware. All the files on the infected computer are then encrypted –conversion of computer data into ciphertext, a data form that can only be read using a decryption secret key or password. After the data encryption, victims are instructed to install the TOR browser and provided with a .onion, also known as dark web site. Below is the screencap of the dark web site.
Locky decrypt
Image: AppRiver
​The dark web site shows a victim how to purchase Bitcoins. It also tells the victim to send .5 Bitcoin – equivalent to a staggering $2,381 – to a certain Bitcoin address as payment to supposedly unlock the encrypted files.
 
The latest Locky strain was reported last August 17th this year by researchers at Fortinet. The latest strain uses “.lukitus”, which means “locking” in Finnish, as the extension for the encrypted files. Rommel Joven‏, one of the Fortinet researchers who discovered the latest Locky variant, tweeted last August 17th that this variant is the second modification of Locky in over a week.
 
Last August 14th, Fortinet researchers identified the predecessor of the Lukitus Locky variant called "Diablo6", named after the “.diablo6” extension to its encrypted files.
 
“It’s still too early to say if this campaign signals the start of Locky diving back into the ransomware race or if it is just testing the waters," Fortinet researchers said about the Diablo6 Locky variant. This variant similarly spreads through spam emails – each containing a VBS attachment. Once clicked, the VBS file downloads the Locky variant from a compromised URL or webpage.

History of Locky Ransomware

​Locky ransomware was first distributed into the wild in early February 2016. Based on the Google-led study, Locky was the highest grossing ransomware in 2016, earning a total of $7.8 million.
 
Locky’s notoriety rose when it victimized an American hospital in early February 2016. The hospital publicly acknowledged (PDF) that it was a victim of a malware that locked access to certain hospital computers by encrypting the files and demanding ransom payment worth 40 Bitcoins (equivalent to $17,000 at that time) for the decryption key. The hospital said that it paid $17,000 as it was the “quickest and most efficient way to restore our systems and administrative functions”.
 
According to Fortinet researchers, from February 19, 2016 to September 15, 2016, Locky's total hits reached 36,314,789, mostly affecting computer users in the U.S., France, Japan, Kuwait, Taiwan and Argentina.
 
Modifications of Locky ransomware aren’t limited to the Lukitus and Diablo6 variants. In its more than a year existence into the wild, creators of Locky ransomware periodically make changes to this malicious software. Aside from “.lukitus”, “.diablo6”, Locky’s creators also used “.locky”, “.zepto” and “.odin” as names of extension to its encrypted files.
 
Different variants of Locky were spread in 2 ways: 1) spam emails and 2) compromised websites.

Spam Emails

One of the main paths of Locky infection is through spam email campaigns. The following are some of the subject lines used in spam emails to the spread the Locky ransomware:
  • ATTN: Invoice J-12345678
  • Invoice IN00000160V00008647772
  • Your Order
  • Please sign
  • Scanned image from MX-2600N
 
An email with the subject line "Scanned image from MX-2600N” may look innocent enough. But the use of such subject line is a product of a sophisticated campaign – a plan to mislead many employees into clicking the spam email.
 
The term “MX-2600N” is actually the most popular model of Sharp scanner/printer that’s used by many offices. Many employees use this model to scan documents and email them to themselves or other people. So, when they see an email with the subject “MX-2600N”, they’re tricked into thinking that they’re opening an email that they’ve sent to themselves.
 
According to Fortinet researchers, Locky’s spam email campaigns in the past contained the following attachments:
  • Spam email containing an attached JavaScript, MS Office Macro downloader or Windows Script File
  • Spam email containing an attached JavaScript or Microsoft Office Macro downloader
  • Spam email containing an attached JavaScript downloader
  • Spam email containing an attached JavaScript or HTA downloader

Compromised Websites

​The other attack path used by Locky ransomware is via compromised websites that redirect to Nuclear or Neutrino Exploit Kit. Unlike in a malicious email campaign whereby the victim has to open an email and click on the attachment, an exploit kit like Nuclear or Neutrino doesn’t require added action from the end user. An exploit kit works like a ghost while a potential victim is browsing a compromised website. In the case of Locky ransomware, the exploit kit acts as the distributor of the malware to the victim’s computer. 

How to Prevent Locky Ransomware Attacks

Here are some of the ways to block Locky ransomware attacks:

​1. Use Up-to-Date Browser and Software
“Using up-to-date browser and software remains to be the most effective mitigation against exploit kits,” Microsoft said. “Upgrading to the latest versions and enabling automatic updates means patches are applied as soon as they are released.
 
2. Exercise Caution When Opening Emails and Attachments
Be wary about opening emails from unknown senders. When in doubt about an email, ignore it, delete it and never open attachments or click on URLs. 
When you need help protecting your infrastructure and your data, connect with our team and we will be more than happy to help.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    November 2023
    October 2023
    September 2023
    August 2023
    July 2023
    June 2023
    May 2023
    April 2023
    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Blockchain
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cybercrime
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    Data Privacy
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    Incident Management
    Insider Threat
    IoT
    Machine Learning
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo from GotCredit