Euro Security Watch with Mathew J. Schwartz

Anti-Malware , Ransomware , Technology

Locky Ransomware Returns With Two New Variants Crypto-Locking Diablo and Lukitus Variants Distributed via Big Spam Campaigns
Locky Ransomware Returns With Two New Variants
Locky ransomware leaves a desktop message instructing victims to visit a darknet site to pay a ransom. (Source: Comodo)

Locky is back.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

After the ransomware fell off the radar, security researchers have spotted two new Locky strains - dubbed Diablo and Lukitus - in as many weeks. Like so many types of crypto-locking ransomware, the attack code is designed to encrypt many file types on a PC and then extort a ransom payment from victims in return for the promise of a decryption key.

"Ransomware has made an unwelcome leap onto the current short list of life's certainties." 

Locky debuted in 2016, but by the end of the year appeared to have gone into steep decline, and it wasn't being distributed by its formerly principal outlet - the Necurs botnet.

Now, however, "it appears this notorious attack is back with distribution through the Necurs botnet - one of the largest botnets in use today," Tyler Moffitt, a senior threat research analyst with security firm Webroot, says in a blog post.

Ransom screen displayed by Lukitus variant of Locky. (Source: Webroot)

Diablo Debuts

The campaign involving the Diablo variant began August 9 and quickly built a botnet comprising more than 11,000 infected endpoints across 133 countries, according to Fatih Orhan, head of the Comodo Threat Intelligence Lab and Comodo Threat Research Labs.

To date, Comodo says, the greatest number of infected - aka zombie - endpoints have been seen in Vietnam, India, Mexico, Turkey and Indonesia.

Any system infected by the Diablo variant will see affected files renamed into "a unique, 16-letter and number combination" to which a ".diablo6" extension will be added, according to a research report issued by Comodo.

Once the encryption cycle is complete, victims see a message on their desktop that instructs them to download the Tor anonymizing browser, access a specific website operated by the Locky gang, and then remit a ransom payment that ranges from 0.5 to 1 bitcoin - currently worth $2,150 to $4,300 - in exchange for a promised decryption key, according to Comodo.

Tor-accessible Onion site to which Locky victims get directed. (Source: Webroot)

That Old Macro Trick

The Locky campaign continues to rely on spam emails that may carry one of numerous different types of attachments, including documents (.doc, .docx), archive files (.zip, .rar), PDF or image files (.jpg, .tiff).

Whatever the supposed file type, "it actually contains malicious macros enabling a file-encrypting ransomware payload and delivering big trouble for any who open it - or at least for anyone who opens it without containment or outside of a safe lab environment," according to Comodo's research report.

"When the user opens the attached document, it appears to be full of garbage, and it includes the phrase 'enable macro if data encoding is incorrect' - a social engineering technique used in this type of phishing attack," according to Comodo's report. "If the user does as instructed, the macros then save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions - including the common ones on most machines."

Such social engineering techniques have long been used by malware - and ransomware - authors to trick users into allowing malicious attachments to execute (see Hello! Can You Please Enable Macros?). Often, these email-attached malicious executables function as "droppers," which immediately reach out to a command-and-control server, tell it that the endpoint has been infected, and then receive further malicious code, such as ransomware, to install on the endpoint.

Lukitus: Finnish Wrinkle

The Lukitus variant of Locky, meanwhile, was first spotted this week. On Wednesday, Rommel Joven, a malware researcher with security firm Fortinet, warned that Lukitus was being distributed via email attachments as part of a massive spam campaign being run by Necurs.

Samples of files crypto-locked by Lukitus variant. (Source: Fortinet)

Some versions of Lukitus arrive attached to spam emails with such subject lines as "missed voicemail" or "outstanding invoices" to attempt to lure victims into opening the attachment.

As with previously seen versions of Locky, "the spam emails distributed in this campaign include an attached archive file (.zip or .rar) that contains a malicious JavaScript or VBS script," security researchers from Fortinet say in a Wednesday blog post. "Once opened, this attachment downloads the Locky payload."

The countries most targeted with the Lukitus variant to date have been Austria, the United States and Great Britain, according to Fortinet.

Lukitus has an interesting wrinkle, according to Artturi Lehtiö, a senior consultant with Finnish security firm F-Secure, in that it adds its name as an extension to crypto-locked files. Lukitus means "locking" - think "locky" - in Finnish, thus suggesting that attackers may have a bone to pick with Finns.

Prepare, or Pay

Beyond the unwelcome cost hit from a ransom - especially as the value of bitcoin has skyrocketed - law enforcement and security experts recommend that victims never pay a ransom to unlock files, because it directly funds criminal enterprises (see Please Don't Pay Ransoms, FBI Urges).

With all types of ransomware, the most effective - and least costly - way to beat ransomware begins by planning ahead. Beyond using anti-virus tools to nuke known strains before they can crypto-lock systems, also keep regular backups, stored offline, because many types of ransomware can now encrypt network-connected drives or file shares.

Some ransomware victims can avail themselves of free decryptors, for example via the No More Ransom portal. But in the case of Locky, "there is currently no available decryption tool that will work, other than paying the ransom to obtain the decryption keys," Webroot's Moffitt says.

Death, Taxes, Ransomware

Organizations and individuals that fail to prepare do so at their peril.

Indeed, in recent years, ransomware has made an unwelcome leap onto the current short list of life's certainties - death, taxes, and classic television shows "rebooted" into horrific Hollywood movies.

But the far-seeing, Thai-based operational security expert who calls himself the Grugq sees a ransomware silver lining: It's making everyone sharpen their cybersecurity game by putting in place all of the information security defenses they should have invested in years ago (see Solve Old Security Problems First).

Cybersecurity Standard Recommendations Apply

Instead of battling an abstract concept - reputational damage and the like - ransomware gives businesses a concrete, clear and present danger with which to contend.

But defending against ransomware will make organizations more resistant to all sorts of information security threats.

"The protections against ransomware are effectively cybersecurity standard recommendations: Segment networks; apply patches in a timely fashion; ensure least privilege; have working regular backups; reduce attack surface (e.g. disable Office macros, use modern browsers, remove Java and Flash plugins, etc.)," the Grugq writes in a Wednesday blog post.

In other words, organizations must begin by applying these very basic security hygiene rules. "There's no secret magic solution - like APT stoppers - or audit requirements like checkbox periodic penetration tests," the Gruqq says. "Companies must implement real security practices to mitigate the risk ransomware poses directly to their bottom line."



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network