Lukitus Ransomware: Key Facts and Prevention Tips

Table of Contents

Lukitus – New Heir of Locky

If a file-encrypting virus has ever infiltrated your computer and encoded files, most likely, now you know about major ransomware threats. While the majority of you might have heard, at least once, about Locky[1], few might be familiar with Lukitus. Unfortunately, Lukitus happens to be just one of the latest versions of the infamous threat. So what’s new and is there a way to counterattack it?

How it All Began

Hardly anyone of you has not heard the global chaos wrecked by the original version of Locky in March last year. At that time, the virtual world was about to see the capabilities of the ransomware which infiltrated into virtual systems of medical institutions and companies.

As cyber security experts and users had been looking for a way to terminate the attack and worked on anti-ransomware measures, the developers continued elaborating the source code of the malware.

Ever-evolving Threat

Within months, multiple new versions emerged. The developers seemed to prefer Norse mythology, as subsequent versions of Odin and Thor emerged. Later on, the cyber criminals shifted to Ancient Egypt: Osiris and Anubis versions made an appearance. However, the most insidious campaign was yet to come.

In the beginning of summer, 2016 the malware struck Facebook community.[2] It tempted unsuspecting users to open the image file in .svg format. However, downloading the file would only lead to activating the threat.

At the end of last year and in the first half of 2017, the activity of the malware subsided which granted hopes for the virtual community that the developers of the file-encrypting threat decided to withdraw from the market. However little did they know how mistaken they were.

On April, Locky again surfaced with its traditional spam campaign. The malware was hidden to in the campaign which was delivered along with “Payment Receipt 2724” spam emails[3]. However, this since was just a calm before a storm. In late August 2017, the developers struck with a new campaign entitled as IKARUSdilapidated bring two versions of Locky: Diablo6 and Lukitus[4].

How Did it Manage to Wreak so Much Havoc?

While ransomware threats have existed before and some of them managed to become a pain in the neck, such as TeslaCrypt and CryptoWall, Locky outperformed them with a complex decryption combination and, most importantly, successful distribution campaign. Botnets and banking trojans are the key factors which let Locky multiply millions of time.

Since its existence, the virus has maintained a tendency to strike users via spam emails. Originally, it would be disguised in a supposed invoice or delivery failure .doc file with the embedded macros. In Windows versions, the settings are optionally disabled. Thus, the document asked users to enable them. Unfortunately, the action only accelerates the corruption of the system.

Another feature of the malware is its insidious behavior. It manages to disguise under schvost.exe, i.e., legitimate system file, name, which lets escape victims’ detection. Besides changing the file names to .locky or its latest version, .lukitus, the background picture is also replaced with the instructions file.

Lukitus redirects users to the Locky Decrypter page. Now it costs 2.5 BTC

When a victim enters the indicated address, the perpetrators offer to purchase Locky Decrypter. Interestingly, Lukitus also uses the same tool as well. Here are the main specifications of the malware:

  • uses AES-256 and RSA-2048 keys to encrypt data
  • spreads via spam emails: .doc, .js, .pdf files
  • offers to purchase Locky Decrypter
  • asks to enable macro settings
  • demands ~0.5 bitcoins

Lukitus Variation Unravels More Cunning Features

While the menacing and destructive power of Locky contributed to its “popularity”, Lukitus virus manifests more perfidious specifications. Besides disguising under a supposed invoice file and a brief message content: “Files attached. Thanks,” some versions also tend to imitate the emails with scanned images.

However, the latter technique might prove to be highly successful as Lukitus tends to target companies. There is a high possibility that you might open the attached file if it is supposedly sent by your colleague. The chances to encounter this malware are increasing daily as lately 23 million spam emails were detected bearing this virtual plague.

Lukitus malware also exhibits a stunning feature to disguise itself in sandboxes. The new technique unleashes Lukitus only when the corrupted file is closed. Therefore, it lets get past the detection of sandboxes while performs its mission – infecting unsuspecting users. ICARUsdilapidated also manifested capabilities to hide the malware under fake Dropbox verification requests.[5]

Some of the virus samples were dispatched to certain sites informing users that the “HoeflerText” font was not found and they should install the Chrome font to read the content of a site, In either way – whether you download a shady extension or open an attachment – leads to the same scenario – the encounter with Lukitus.

Escaping Lukitus Ransomware

With each version and distribution campaign becoming more craftier, it is necessary to diversify and employ all possible security measures. Unfortunately, neither of Locky versions can be decoded yet. Besides the protection of cyber security tools, companies should awareness of ransomware and its transmission tendencies. Users should be vigilant while browsing the Web as well.

Tips to take note of about Lukitus removal:

  • verify the sender’s sent attachments before opening them
  • check whether the offered security software updates are promoted on their official sites
  • look for grammar mistakes and typos in emails supposedly sent from the official campaigns
  • do not enable any browser extensions promoted in pop-up ads
  • back up your files and store the copies in the cloud