Details About The Locky Ransomware Infections

The Locky ransomware family continues to evolve as new variants and attack campaigns continue to be launched at various targets. Learn more about the latest details about the latest infection attacks.

Manual removal of Locky requires being familiar with system files and registries. Removal of any important data can lead to permanent system damage. Prevent this troublesome effect – delete Locky with SpyHunter malware removal tool.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Rising Locky Ransomware Dangers

Cisco Talos security analysts have released detailed information about the Locky attack campaigns that we have observed in the last several months. The data shows that the attackers continue to use the ransomware threat and utilize various strategies to impact as many targets as possible. There have been several notable infection that are analyzed in details by the researcher team.

Locky Ransomware Campaign Associated with The “Receipt XXX-XXX” Spam

The first samples coming from this campaign were observed on October 24 and featured spam emails that used malicious HTA files as malware downloaders. The hackers used social engineering tricks to lure the recipients into opening the infected messages disguised as receipts. The subject lines of the emails used the subject “Receipt XXX-XXX” where the XXX was a sequence of digits. The infected HTA files were hidden in ZIP archives.

The interesting fact about this particular campaign is that the downloader repeatedly uses variables names based on the word “PUMPKIN“. According to the analysis on the captured samples, the word showed up in 37 separate instances.

In total the researchers observed 13 384 emails that were launched against various victims for the duration of the study. This includes 210 unique samples of the Locky ransomware virus.

Locky Ransomware Campaign with saved_letter_XXXXXXXX” Spam messages

A second spam email campaign distributed Locky downloaders that used Javascript (JS) files as the infection mechanism. This particular attack was relatively low volume, the subject lines of the emails contain “Complaint letter”. They contain attached ZIP files named using the “saved_letter_XXXXXXXXX.zip” formula – each X represents 9 hexadecimal characters. The attached archive contained the JS malware downloader which is also named according to a formula – “saved letter XXXXXX.js” where X represents 5-8 hexadecimal characters. A total of 3 748 emails were discovered with 388 unique malware samples.

Various Locky Ransomware Campaigns known as “Free”

In addition there has been a third spam email campaign that was launched recently. It used WSF-based malware downloaders, a total of 154 emails were observed. The majority of them (133) targeted French language speakers and were disguised as having been sent by the French media provider “Free”. A total of 42 unique hashes were identified in this attack campaign.

The contents of the email messages are masked to appear as bills from the company where the hackers include a randomly crafted sum that varies depending on the message. Another variant was observed that masked the ransomware as failed delivery notifications. Example subject lines include the following:

  • We could not deliver your parcel, #000990048
  • Unable to deliver your item, #0000248834
  • Problem with parcel shipping, ID:00480186

The same typical Locky distribution strategy is used of attaching ZIP files that contain the WSF payload downloaders.

New Locky Ransomware Changes

The observed attack campaigns contain several changes that include the following:

  • The URL path that are used for C&C server communication has changed to /linuxsucks.php
  • The file extension has changed to the new .SHIT variant (read more about it here)
  • The ransom note is not contained in a “_WHAT_is.html” file
  • The Locky Ransomware is now more popular than ever, we expect to see new variants that use various other distribution strategies and with updated feature sets.

    Manual removal of Locky requires being familiar with system files and registries. Removal of any important data can lead to permanent system damage. Prevent this troublesome effect – delete Locky with SpyHunter malware removal tool.

    SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

    Was this content helpful?

    Author : Martin Beltov

    Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


    Related Posts

    Leave a Reply

    Your email address will not be published. Required fields are marked *