Locky Returns via Spam and Dropbox-Themed Phishing AttacksMassive Ransomware Campaign Flings 23 Million Emails in Just 24 Hours
A new attack campaign has been flinging phishing messages as well as ransomware-laced spam emails at potential victims in massive quantities.
See Also: Attivo Deception MITRE Shield Mapping
The attack campaign involves crypto-locking Locky ransomware.
"Beware. Don't fall for this. Locky is horrid," says Alan Woodward, a computer science professor at the University of Surrey.
The campaign began Monday, according to cloud-based cybersecurity provider AppRiver, which counted more than 23 million related spam emails having been sent in less than 24 hours. That makes it "one of the largest malware campaigns that we have seen in the latter half of 2017," says Troy Gill, manager of security research for AppRiver, in a blog post.
Finnish security firm F-Secure says that the majority of the spam messages that its systems are currently blocking relate to Locky. It notes that some spam contains links to infected sites, while other messages carry malicious attachments.
More than 90% of our spam-trap traffic is currently Locky related. Using simultaneously either URLs or attachments.— News from the Lab (@FSLabs) September 1, 2017
If a system becomes infected with this strain of Locky, crypto-locked files will have the extension ".lukitus" added, which is a Finnish word variously translated by native speakers as "locking" or "locked," according to F-Secure.
The Lukitus variant of Locky was first spotted last month. Rommel Joven, a malware researcher with security firm Fortinet, warned that it was being distributed via email attachments as part of a massive spam campaign being run by the one of the world's biggest botnets, Necurs, which has historically been the principle outlet for Locky attacks (see Locky Ransomware Returns With Two New Variants).
Spam Can Carry Locky Attachments
AppRiver says emails related to the new Locky campaign have featured a variety of subject lines, including these words: documents, images, photo, pictures, please print, scans.
"Each message comes with a zip attachment that contains a Visual Basic Script (VBS) file that is nested inside a secondary zip file," Gill says. "Once clicked, [the] VBS file initiates a downloader that reaches out to greatesthits[dot]mygoldmusic[dotcom] to pull down the latest Locky ransomware. Locky goes to work encrypting all the files on the target system and appending [.]lukitus to the users now-encrypted files."
The ransomware then drops a ransom note on the victim's desktop. "The victim is instructed to install the Tor browser and is provided an .onion (aka Darkweb) site to process payment of 0.5 bitcoins" - currently worth $2,400 - Gill says. "Once the ransom payment is made the attackers promise a redirect to the decryption service."
As of Friday, meanwhile, Xavier Mertens, a freelance security consultant and SANS Institute Internet Storm Center contributor based in Belgium, says he's seeing a new wave of malicious spam that uses emails that pretend to carry voice messages.
Internet Storm Center reports that some malicious messages tied to Locky are showing fake alerts stating that the HoeflerText font needs to be installed.
Dropbox-Themed Phishing Variation
Not all of the Locky spam emails arrive with malicious attachments; some are designed as phishing attacks that redirect users to real-looking but malicious sites.
Peter Kruse, an e-crime specialist at CSIS Security Group in Denmark, says some emails related to this ransomware campaign are skinned to look like they've come from Dropbox. Some will attempt to trick recipients into clicking on a "verify your email" link. Kruse says the attacks are being launched by the group tied to the Affid=3 [aka affiliate ID=3] version of Locky.
If victims click on the link, they're redirected to one of a number of websites. Often, these are legitimate sites or hosting accounts that have been accessed by attackers who add a malicious "dropbox.html" file to the home directory.
The dropbox.html file that loads is designed to look like the legitimate Dropbox site.
Clicking on a link can result in a zipped attack file being downloaded, per the VBS attack detailed above, according to security researcher JamesWT, a former member of the anti-malware research group called Malware Hunter Team.
It's not clear how many people may have fallen victim to the new Locky or Shade campaigns or have paid the demanded ransom. The bitcoin address shown in one Locky ransom message, for example, has received no payments.
Locky: No Free Decoder
Security researchers have sometimes been able to create free decryptors for victims whose files have been crypto-locked - and the originals deleted - by ransomware (see Two New Ransomware Decryptors Give Victims a Free Out).
Such decryptors may exploit errors ransomware developers made when attempting to implement their encryption scheme. Or sometimes, the encryption keys used by attackers can fall into security researchers' hands, for example, if police bust a cybercrime gang, if a rival gang hacks and doxes their competition, or if attackers simply show some belated remorse.
Unfortunately, "there currently are no publicly shared methods to reverse this Locky strain," AppRiver's Gill says.
To defend against ransomware attacks, and avoid ever having to consider paying a ransom, security experts recommend using anti-malware software and keeping the software, as well as signatures, as current as possible. Also keep current backups of all systems, and store those backups offline, because many types of crypto-locking can encrypt files not just on hard drives, but also reachable via the network or cloud services.
Updated (September 1) to note that some related attacks have been hitting victims with Shade ransomware instead of Locky.