Site icon Sophos News

It’s baaaack: Locky ransomware is on the rise again

Thanks to Dorka Palotay of SophosLabs for her behind-the-scenes work on this article.

Locky was once among the most dominant strains of ransomware. Over time, it receded from view, replaced by ransomware such as Cerber and Spora. But in the last couple of weeks, Locky has returned.

Last week it sported a new extension: .diablo6. This week researchers are seeing more new variants, now with a .lukitus extension. SophosLabs researcher Dorka Palotay said the new variants perform the usual Locky behavior:

It is spread by spam email and comes with a .zip attachment with a .js file inside (e.g. 20170816436073213.js). It downloads the actual payload, which then encrypts the files. 

Email characteristics, payloads

The .lukitus variant comes with email subject lines like “PAYMENT” and the following body content:

The Diablo variant used the body content “Files attached. Thanks” and the sender’s email address had the same domain as the recipient’s. The emails came with the .zip attachment “E 2017-08-09 (957).zip”, which contained a VBScript downloader called “E 2017-08-09 (972).vbs”.  The script would then download the Locky payload from an address ending with /y872ff2f. 

The .lukitus version connected to its command-and-control server via these addresses:

The diablo6 version connected to its command-and-control server via these addresses:

Defensive measures: malicious attachments

Sophos is protecting customers from the latest Locky campaigns. But it helps to keep the following advice top of mind:

Defensive measures: ransomware

The best defense against ransomware is not to get infected in the first place, so we’ve published a guide entitled How to stay protected against ransomware that we think you’ll find useful:


You can also listen to our Techknow podcast Dealing with Ransomware:

LISTEN NOW

(Audio player above not working? Listen on Soundcloud or access via iTunes.)


Exit mobile version