Massive Email Campaign Sends Locky Ransomware to Over 23 Million Users
Whenever we feel like the
is dead, the notorious
Recently, researchers from two security firms have independently spotted two mass email campaigns, spreading two different, but new variants of the
Lukitus Campaign Sends 23 Million Emails in 24 Hours
by researchers at AppRiver sent out more than 23 million messages containing Locky ransomware in just 24 hours on 28 August across the United States in what appears to be one of the largest malware campaigns in the second half of this year.
According to the researchers, the emails sent out in the attack were « extremely vague, » with subjects lines such as « please print, » « documents, » « images, » « photos, » « pictures, » and « scans » in an attempt to convince victims into infecting themselves with Locky ransomware.
The email comes with a ZIP attachment (hiding the malware payload) that contains a Visual Basic Script (VBS) file nested inside a secondary ZIP file.
Once a victim tricked into clicking it, the VBS file starts a downloader that downloads the latest version of the Locky ransomware, called
(which means « locked » in Finnish), and encrypts all the files on the target computer, and appends [.]lukitus to the encrypted data.
After encryption process ends, the malware displays a ransomware message on the victim’s desktop that instructs the victim to download and install Tor browser and visit the attacker’s site for further instructions and payments.
This Locky Lukitus variant demands a sum of 0.5 Bitcoin (~$2,300) from victims to pay for a « Locky decryptor » in order to get their files back.
This Lukitus attack campaign is still ongoing, and AppRiver researchers had
« quarantined more than 5.6 million »
messages in the campaign on Monday morning.
Sadly, this variant is impossible to decrypt as of now.
2nd Locky Campaign Sends over 62,000 Emails
In separate research, security firm Comodo Labs
another massive spam campaign earlier in August, which sent out over 62,000 spam emails containing a new variant of Locky ransomware in just three days in the first stage of the attack.
, the second variant of Locky ransomware has been distributed using 11,625 different IP addresses in 133 different countries—likely made of a botnet of « zombie computers » to conduct coordinated phishing attacks.
According to security researchers at Comodo, « this is a large-scale, email-based ransomware attack in which a new Trojan malware variant appears as an unknown file and can slip into unsuspecting and unprepared organizations’ infrastructures. »
The original attack that was first identified on August 9 and lasted three days utilized spam email messages that also contained a malicious Visual Basic Script (VBS) attachment, which if clicked, follows the same functioning as mentioned in the above case.
The cyber criminals operating Locky’s IKARUSdilapidated variant demands ransom between 0.5 Bitcoin (~$2,311) and 1 Bitcoin (~$4,623) to get their encrypted files back.
This massive Locky ransomware campaign targets « tens of thousands » of users across the globe, with the top five countries being Vietnam, India, Mexico, Turkey, and Indonesia.
Here’s How to Protect Yourself From Ransomware Attacks
Ransomware has become one of the biggest threats to both individuals and enterprises with the last few months happening several widespread ransomware outbreaks, including
Currently, there is no decryptor available to decrypt data locked by above Locky ransomware variants, so users are strongly recommended to follow prevention measures in an attempt to protect themselves.
Beware of Phishing emails:
Always be suspicious of uninvited documents sent via an email and never click on links inside those documents unless verifying the source.
To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.
Keep your Antivirus software and system Up-to-date:
Always keep your antivirus software and systems updated to protect against latest threats.
via The Hacker News http://ift.tt/q3rJkn August 31, 2017 at 06:02PM