Locky ransomware, the infamous threat that dominated malware charts in 2016, is being aggressively distributed in a series of spam runs that have been ongoing for several weeks, security researchers warn.
First observed in early 2016 and mainly associated with spam campaigns fueled by the Necurs botnet, Locky was relatively silent in early 2017, but reemerged in new campaigns in April and June, and began ramping up activity in early August.
In late August, Locky started appearing in numerous campaigns, and is currently featured in attacks that ramp up to tens of millions of spam messages per day, targeting users all around the world. According to Trend Micro, the runs affect users in over 70 countries.
In most of the newly observed attacks, Locky has been distributed alongside another ransomware family calked FakeGlobe, also known as Globe Imposter, Trend Micro says. The spam messages, which feature either malicious links or macro-enabled documents, direct users to Locky for one hour, and then switch to FakeGlobe the next.
“This is not the first time we’ve seen download URLs serving different malware in rotation. However, typically the malware were different types, pairing information stealers and banking Trojans with ransomware. Now we see that cybercriminals are simply doubling up on ransomware, which is quite dangerous for users,” Trend Micro points out.
While Trend Micro says it was able to block nearly 600,000 emails carrying Locky, Barracuda researchers this week saw over 27 million of such emails during a 24-hour period alone.
Most of the emails were sent from Vietnam, but India, Columbia, Turkey and Greece also accounted for large numbers of messages (overall, spam originated from a total of 185 different countries). Most of the affected users were located in the US, Japan, Germany, and China.
Panda Security has also observed the massive distribution campaigns and confirms that the runs started to grow in volume on Tuesday. At the moment, the researchers say, the attackers send around 1 million phishing messages every hour.
Most of the messages are disguised as fake Amazon Marketplace and Herbalife invoices, but phony printer orders have been observed. The emails contain an archive as attachment. While in some cases .zip files are used, other emails feature .7z or 7-zip attachments.
While some of the ransomware samples observed recently used the .lukitus variant of Locky, more recent samples are appending the .ykcol extension to the encrypted files. The malware would also drop ransom notes named ykcol.htm and ykcol.bmp, demanding a .25 Bitcoin (around $1,000) ransom.
As Fortinet points out, the recently used .ykcol extension is actually the original .locky extension spelled backwards. The researchers also noticed that the second wave of spam carried email subject “Message from km_c224e,” which was previously used in campaigns delivering Dridex and Jaff ransomware.
“Despite a few minor alterations, Locky is still the same dangerous ransom malware from a year ago. It has the capabilities and distribution network necessary to cause significant damage to any system unfortunate enough to be hit by it. Over the past few months, we have seen it distributing massive spam campaigns and we don’t see it slowing down any time soon,” Fortinet notes.
Related: Locky Ransomware Campaign Ramps Up