Locky Ransomware Returns With Two New VariantsCrypto-Locking Diablo and Lukitus Variants Distributed via Big Spam Campaigns
Locky is back.
After the ransomware fell off the radar, security researchers have spotted two new Locky strains - dubbed Diablo and Lukitus - in as many weeks. Like so many types of crypto-locking ransomware, the attack code is designed to encrypt many file types on a PC and then extort a ransom payment from victims in return for the promise of a decryption key.
"Ransomware has made an unwelcome leap onto the current short list of life's certainties."
Locky debuted in 2016, but by the end of the year appeared to have gone into steep decline, and it wasn't being distributed by its formerly principal outlet - the Necurs botnet.
Now, however, "it appears this notorious attack is back with distribution through the Necurs botnet - one of the largest botnets in use today," Tyler Moffitt, a senior threat research analyst with security firm Webroot, says in a blog post.
The campaign involving the Diablo variant began August 9 and quickly built a botnet comprising more than 11,000 infected endpoints across 133 countries, according to Fatih Orhan, head of the Comodo Threat Intelligence Lab and Comodo Threat Research Labs.
To date, Comodo says, the greatest number of infected - aka zombie - endpoints have been seen in Vietnam, India, Mexico, Turkey and Indonesia.
Any system infected by the Diablo variant will see affected files renamed into "a unique, 16-letter and number combination" to which a ".diablo6" extension will be added, according to a research report issued by Comodo.
Once the encryption cycle is complete, victims see a message on their desktop that instructs them to download the Tor anonymizing browser, access a specific website operated by the Locky gang, and then remit a ransom payment that ranges from 0.5 to 1 bitcoin - currently worth $2,150 to $4,300 - in exchange for a promised decryption key, according to Comodo.
That Old Macro Trick
The Locky campaign continues to rely on spam emails that may carry one of numerous different types of attachments, including documents (.doc, .docx), archive files (.zip, .rar), PDF or image files (.jpg, .tiff).
Whatever the supposed file type, "it actually contains malicious macros enabling a file-encrypting ransomware payload and delivering big trouble for any who open it - or at least for anyone who opens it without containment or outside of a safe lab environment," according to Comodo's research report.
"When the user opens the attached document, it appears to be full of garbage, and it includes the phrase 'enable macro if data encoding is incorrect' - a social engineering technique used in this type of phishing attack," according to Comodo's report. "If the user does as instructed, the macros then save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions - including the common ones on most machines."
Such social engineering techniques have long been used by malware - and ransomware - authors to trick users into allowing malicious attachments to execute (see Hello! Can You Please Enable Macros?). Often, these email-attached malicious executables function as "droppers," which immediately reach out to a command-and-control server, tell it that the endpoint has been infected, and then receive further malicious code, such as ransomware, to install on the endpoint.
Lukitus: Finnish Wrinkle
The Lukitus variant of Locky, meanwhile, was first spotted this week. On Wednesday, Rommel Joven, a malware researcher with security firm Fortinet, warned that Lukitus was being distributed via email attachments as part of a massive spam campaign being run by Necurs.
The countries most targeted with the Lukitus variant to date have been Austria, the United States and Great Britain, according to Fortinet.
Lukitus has an interesting wrinkle, according to Artturi Lehtiö, a senior consultant with Finnish security firm F-Secure, in that it adds its name as an extension to crypto-locked files. Lukitus means "locking" - think "locky" - in Finnish, thus suggesting that attackers may have a bone to pick with Finns.
"Lukitus" means "locking" in Finnish. Newest locky ransomware campaign uses it as file extension. Please re-roll your attribution dice. https://t.co/izXiFaQSbw— Artturi Lehtiö (@lehtior2) August 17, 2017
Prepare, or Pay
Beyond the unwelcome cost hit from a ransom - especially as the value of bitcoin has skyrocketed - law enforcement and security experts recommend that victims never pay a ransom to unlock files, because it directly funds criminal enterprises (see Please Don't Pay Ransoms, FBI Urges).
With all types of ransomware, the most effective - and least costly - way to beat ransomware begins by planning ahead. Beyond using anti-virus tools to nuke known strains before they can crypto-lock systems, also keep regular backups, stored offline, because many types of ransomware can now encrypt network-connected drives or file shares.
Some ransomware victims can avail themselves of free decryptors, for example via the No More Ransom portal. But in the case of Locky, "there is currently no available decryption tool that will work, other than paying the ransom to obtain the decryption keys," Webroot's Moffitt says.
Death, Taxes, Ransomware
Organizations and individuals that fail to prepare do so at their peril.
Indeed, in recent years, ransomware has made an unwelcome leap onto the current short list of life's certainties - death, taxes, and classic television shows "rebooted" into horrific Hollywood movies.
But the far-seeing, Thai-based operational security expert who calls himself the Grugq sees a ransomware silver lining: It's making everyone sharpen their cybersecurity game by putting in place all of the information security defenses they should have invested in years ago (see Solve Old Security Problems First).
I stand by this claim: https://t.co/TT3Qhlho18— the grugq (@thegrugq) August 15, 2017
Cybersecurity Standard Recommendations Apply
Instead of battling an abstract concept - reputational damage and the like - ransomware gives businesses a concrete, clear and present danger with which to contend.
But defending against ransomware will make organizations more resistant to all sorts of information security threats.
"The protections against ransomware are effectively cybersecurity standard recommendations: Segment networks; apply patches in a timely fashion; ensure least privilege; have working regular backups; reduce attack surface (e.g. disable Office macros, use modern browsers, remove Java and Flash plugins, etc.)," the Grugq writes in a Wednesday blog post.
In other words, organizations must begin by applying these very basic security hygiene rules. "There's no secret magic solution - like APT stoppers - or audit requirements like checkbox periodic penetration tests," the Gruqq says. "Companies must implement real security practices to mitigate the risk ransomware poses directly to their bottom line."