Table of Contents
Locky – Ever-evolving Ransomware – Makes its Appearance Again
Locky, the notorious ransomware, is again in the spotlight. A few weeks ago, on August 9, it surfaced with a new campaign called “IKARUSdilapidated.” It then delivered the malware bearing a menacing name – Diablo6. It targeted victims with the old technique – spam emails. Such messages would contain [date].zip or .rar folder attached with a short message “Files attached. Thanks.”
After an unsuspecting user opens the content of the attached file, they would face the destructive power of Diablo6 file-encrypting virus. However, a few days later, the developers decided to send a “backup” to the campaign – another version of the infamous virtual plague – Lukitus malware.
The main difference was that now the virus appended .lukitus file extension instead of .diablo6. On the overall, the mastery of Locky authors does not cease to surprise the virtual community.
Seeking Inspiration from Mythology
Locky becme infamous not only due to its infiltration into multiple medical institutions and companies, but for its references to mythology. The first versions referred Norse deity names, with Odin, Thor emerging, while consecutive versions contained hints to Ancient Egypt: Osiris and Anubis. However, the modus operandi did not differ much.
Speaking of IKARUSdilapidated, its key operation mode does not present any exceptional features. However, the very veneer of the campaign is indeed intriguing. The new malware was spotted targeting specific companies.
More Insidious Technique
Since employees often send the scanned files among each other, Locky developers saw such daily routine as a perfect chance to foist the new version of the malware. Thus, now receiving an email from a colleague with the subject line: “scanned image of [printer type].png” might be a bait instead of a genuine message.
The malware may corrupt an entire server or use an easier option – infiltrate company’s network. On the other hand, if a curious user opens up the message, they might pass the menace to all their contacts unwillingly, which again accelerates the traffic of the virus.
Unfortunately, the number of such attacks was not limited only to these campaigns. Another variant was detected which exclusively targeted French users. Surprisingly, the malware came in the emails supposedly sent from French Post Office. This campaign emerged on August 21 and only terrorized users for 15 hours. It was also associated with laposte.net, a website used by the company.
Researchers have discovered the astonishing number of IP addresses compromised with IKARUSdilapidated – 54,048. They were also able to identify certain epicenters and “routes” of Locky distribution:
- UK (via Turkey) – Indonesia
- Central and southern Africa
- South West US – South America
Countermeasures Against IKARUSdilapidated
As Locky keeps evolving, it reveals more features, and IT experts can gain a better insight at the malware. However, due to its unpredictable behavior, it remains to be a cyber issue. Besides backing up your files and protecting the device with the combination of security tools, you should take note of this advice:
- verify the authenticity of the email even after receiving from a supposed official institution
- compare the given credentials with the official
- look for typos and grammar mistakes
- scan the received email attachment and consult with the sender upon opening the attached file
As Locky developers make their ransomware distribution methods more deceptive incorporating elements from daily life communication, you should remain more vigilant as ever before.