Locky Ransomware has returned with a spam campaign

Share if you likedShare on Facebook0Share on Google+3Tweet about this on TwitterShare on LinkedIn16

A security researcher with the nickname “Racco42‏” found a new campaign that was pushing a new Locky variant that spread through spam emails that contain subject lines similar to E [date](random_num).docx. For example, E 2017-08-10 (698).docx. The message body contains “Files attached. Thanks”.

According to Racco42‏:
“#locky is back with “E 2017-08-09 (xxx).doc” campaign https://pastebin.com/Qbr66946″

  1. Email sample:
  2. ————————————————————————————————————–
  3. From: Jeanne@[REDACTED]
  4. To: [REDACTED]
  5. Subject: E 2017-08-09 (87).xls
  6. Date: Mon, 24 Jul 2017 07:51:08 +0000
  7. Attachment: “E 2017-08-09 (87).zip” -> “E 2017-08-09 (443).vbs”
  8. ————————————————————————————————————–
  9. – sender address is faked to look to be from same domain as recepient
  10. – subject is “E 2017-08-09 (<2-3 digits>).<doc|docx|xls|xlsx|jpg|tiff|pdf|jpg>”
  11. – email body is empty
  12. – attached file “E 2017-08-09 (<2-3 digits>).zip” contains file “E 2017-08-09 (<2-3 digits>).vbs” a VBScript downloader

These emails have a compressed file attached (zip) that use the same subject name, the attached file holds a VBS downloader script. The script contains one or more URLs that will be used to download the Locky ransomware executable to the Windows %Temp% folder and then execute it.

Once it executed, it will encrypt all files. The new Locky ransomware will then modify the file name and then add the “.diablo6.”, after that, it will remove the downloaded file (exe) and then display a ransom note to the victim that presents information on how to pay the ransom.

Sadly, it is not possible to recover the original files unless you pay a ransom of 0.49 Bitcoin (about $1,600 USD).

 

Share if you likedShare on Facebook0Share on Google+3Tweet about this on TwitterShare on LinkedIn16

Eslam Medhat

is a professional pen-tester with over 9 years of IT experience bringing a strong background in programming languages and application security, ranging from network and system administration to exploit research and development. He reported various vulnerabilities for high profile companies and vendors and was successfully acknowledged by them.

Leave a Reply