Locky Ransomware Is Back, With New Variants

Updated on

The Locky ransomware, which, as per experts, is one of the most successful of ransomware families, is back, with new variants.

Some new variants of the Locky ransomware are reportedly active now with a new email spam campaign. Malwarebytes researchers have reported about these variants on August 16th- “We recently observed a fresh malicious spam campaign pushed through the Necurs botnet distributing so far, two new variants of Locky ransomware.” The report further adds- “From August 9th, Locky made another reappearance using a new file extension “.diablo6” to encrypt files with the rescue note: “diablo6-[random].htm“…Today a new Locky malspam campaign is pushing a new Locky variant that adds the extension “.Lukitus” and the rescue note: “lukitus.html“.”

Kaspersky’s Threat Post reports-  “Beginning on Aug. 9, and lasting three days, ransomware called IKARUSdilapidated landed in tens of thousands of inboxes with email that contains little to no content along with a malicious dropper file attachment, according to Comodo Threat Intelligence Lab.”

The ransomware is spread as an email attachment. Threat Post reports- “The attachment is an archive file, with the name ‘E 2017-08-09 (580).vbs’ where 580 is a (variable) number changing for each email and ‘vbs’ is an extension which varies as well,” said Comodo. “The subjects are similar “E 2017-08-09 (580).tiff” where the extension is a document (doc), archive file (zip), pdf or image file (jpg, tiff)”  Once the attachment in the email is executed, the system gets infected with the IKARUSdilapidated ransomware.

A report on HackerCombat, dated 17th August, explains how things work after IKARUSdilapidated ransomware gets downloaded on a system- “When the attachment is downloaded and as the victim tries to open it, he gets a message that the file is unreadable, and he will have to “Enable macro’. This is the bait that is intended to trick the user to enable macros, and once it is enabled, the binary files run the downloaded encrypted Trojan. Next, the malware encrypts all the files that have a specific extension…The victim is then asked to download the Tor browser and click the URL of a specific website, where you will be instructed to make a payment in Bitcoin.”

Locky was at a stage one of the most dominant strains of ransomware before being overtaken by the likes of Cerber and Spora. But now, Locky has resurfaced, with renewed vigor! This proves once again that ransomware is here to stay and we need to keep on devising newer strategies to combat them.


Leave a Comment