Beware Of The New Locky Ransomware

Today, another Locky variant is making the news by launching up to 20 million attacks each day. Of all the different ransomware strains in circulation right now, Locky definitely the one “going places.” Locky ransomware, which was released last year, has suddenly become active in the past year. New variants appear to be intermittently popping up, the latest being a new variant with the capacity to unleash a massive number of cyber attacks in one day.

This new Locky ransomware threat was discovered by researchers at the Barracuda Advanced Technology Group. A post on the Barracuda Labs blog gives a detailed picture of the threat. It says,  “The Barracuda Advanced Technology Group is actively monitoring an aggressive ransomware threat that appears to come in the largest volume from Vietnam. Other significant sources of this attack include India, Columbia, and Turkey, and Greece. Other countries appear to be distributing the same attack in very low volumes. So far we have seen roughly 20 million of these attacks in the last 24 hours, and that number is growing rapidly.”

Barracuda researchers have identified the ransomware to be a Locky variant; they also explain how this ransomware works with a single identifier. The blog post explains, “Barracuda researchers have confirmed that this attack is using a Locky variant with a single identifier. The identifier allows the attacker to identify the victim so that when the victim pays the ransom, the attacker can send that victim the decryptor. In this attack, all victims get the same identifier, which means that victims who pay the ransom will not get a decryptor because it will be impossible for the criminal to identify them. This attack is also checking the victim computer language files, which may lead to an internationalized version of this attack in the future.”

These attacks are coming in the form of emails, most of which claim to be from a company called Herbalife. The Barracuda Labs blog post says- “These attacks are wrapped in either a ‘Herbalife’ branded email or a generic email that impersonates a ‘copier’ file delivery”. There is also another kind of email that’s part of the campaign; this comes with a subject line that reads “Emailing,” followed by the name of the attachment.

The researchers are monitoring the threat and as well as providing updates. The Barracuda Labs blog post states, “There have been approximately 6,000 fingerprints, which tells us that these attacks are being automatically generated using a template that randomizes parts of the files. The names of payload files and the domains used for downloading secondary payloads have been changing in order to stay ahead anti-virus engines.”