The Locky ransomware family continues to evolve as new variants and attack campaigns continue to be launched at various targets. Learn more about the latest details about the latest infection attacks.
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
Rising Locky Ransomware Dangers
Cisco Talos security analysts have released detailed information about the Locky attack campaigns that we have observed in the last several months. The data shows that the attackers continue to use the ransomware threat and utilize various strategies to impact as many targets as possible. There have been several notable infection that are analyzed in details by the researcher team.
Locky Ransomware Campaign Associated with The “Receipt XXX-XXX” Spam
The first samples coming from this campaign were observed on October 24 and featured spam emails that used malicious HTA files as malware downloaders. The hackers used social engineering tricks to lure the recipients into opening the infected messages disguised as receipts. The subject lines of the emails used the subject “Receipt XXX-XXX” where the XXX was a sequence of digits. The infected HTA files were hidden in ZIP archives.
The interesting fact about this particular campaign is that the downloader repeatedly uses variables names based on the word “PUMPKIN“. According to the analysis on the captured samples, the word showed up in 37 separate instances.
In total the researchers observed 13 384 emails that were launched against various victims for the duration of the study. This includes 210 unique samples of the Locky ransomware virus.
Locky Ransomware Campaign with saved_letter_XXXXXXXX” Spam messages
A second spam email campaign distributed Locky downloaders that used Javascript (JS) files as the infection mechanism. This particular attack was relatively low volume, the subject lines of the emails contain “Complaint letter”. They contain attached ZIP files named using the “saved_letter_XXXXXXXXX.zip” formula – each X represents 9 hexadecimal characters. The attached archive contained the JS malware downloader which is also named according to a formula – “saved letter XXXXXX.js” where X represents 5-8 hexadecimal characters. A total of 3 748 emails were discovered with 388 unique malware samples.
Various Locky Ransomware Campaigns known as “Free”
In addition there has been a third spam email campaign that was launched recently. It used WSF-based malware downloaders, a total of 154 emails were observed. The majority of them (133) targeted French language speakers and were disguised as having been sent by the French media provider “Free”. A total of 42 unique hashes were identified in this attack campaign.
The contents of the email messages are masked to appear as bills from the company where the hackers include a randomly crafted sum that varies depending on the message. Another variant was observed that masked the ransomware as failed delivery notifications. Example subject lines include the following:
- We could not deliver your parcel, #000990048
- Unable to deliver your item, #0000248834
- Problem with parcel shipping, ID:00480186
The same typical Locky distribution strategy is used of attaching ZIP files that contain the WSF payload downloaders.
New Locky Ransomware Changes
The observed attack campaigns contain several changes that include the following:
The Locky Ransomware is now more popular than ever, we expect to see new variants that use various other distribution strategies and with updated feature sets.
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
