Bulk Email Campaign Sending Locky Ransomware To Over 23 Million Users

Cyber News - Recently, researchers from two security companies independently saw two mass email campaigns spreading two different new variants of Locky's ransomware.

Campaign Lukitus Sends 23 Million Emails In 24 Hours

The campaign seen by researchers on AppRiver sends over 23 million messages contained only in a 4-hour Lucky Ransomware on August 28 across the United States in what appears to be one of the largest malware campaigns in the second half of this year.

According to the researchers, emails sent in the attack were "very unclear," with subject lines such as "print please," "documents," "images," "photos," and "scans" in an attempt to convince the victim to infect him/her with ransomware.

The email comes with a ZIP attachment (hiding a malware charge) that contains a Visual Basic Script (VBS) file nested within a secondary ZIP file.

Once the victim is tricked into clicking on it, the VBS file starts a downloader that downloads the latest version of Locky, called Lukitus (which means "locked" in Finnish), and encrypts all files on the target computer, and adds extension [.]Lukitus to the encrypted data.

After the encryption process ends, the malware displays a ransomware message on the victim's desktop instructing the victim to download and install the Tor browser and visit the attacker's site for instructions and further payments.

The Locky Lukitus variant requires a total of 0.5 Bitcoin (~ $ 2,300) from the victim to pay "Locky decryptor" in order to restore their files.

The campaign against Lukitus is still ongoing, and AppRiver researchers have "quarantined more than 5.6 million" messages in the campaign on Monday morning.

Unfortunately, nowadays Lukitus still cannot be decrypted.

The 2nd Locky Campaign Sends Over 62,000 Emails

In separate research, security firm Comodo Labs discovered a massive spam campaign earlier in August, sending more than 62,000 spam emails containing a new variant of Locky's ransomware in just three days in the first phase of the attack.

Dubbed IKARUSdilapidated, the second variant of Locky has been distributed using 11,625 different IP addresses in 133 different countries, possibly made from a "zombie computer botnet" to carry out coordinated phishing attacks.

According to security researchers at Comodo, "this is a large-scale data-based ransomware attack, in which new malware variants appear as unknown files and can slip into unsafe and unprepared organizational infrastructure."

The original attack was first identified on August 9 and lasted for three days utilizing spam email messages that also contained a malicious Visual Basic Script (VBS) attachment, which, if clicked, follows the same function as mentioned in the above case.

Cybercriminals who operate the IKARUSdilapidated Locky variant demand a ransom between 0.5 Bitcoin (~ $ 2,311) and 1 Bitcoin (~ $ 4,623) in order to get their encrypted files back.
Locky's massive ransomware campaign is targeting tens of thousands of users worldwide, with the top five countries being Vietnam, India, Mexico, Turkey and Indonesia.