Locky Ransomware has returned with a spam campaign

A security researcher with the nickname “Racco42‏” found a new campaign that was pushing a new Locky variant that spread through spam emails that contain subject lines similar to E [date](random_num).docx. For example, E 2017-08-10 (698).docx. The message body contains “Files attached. Thanks”.

According to Racco42‏:
“#locky is back with “E 2017-08-09 (xxx).doc” campaign https://pastebin.com/Qbr66946″

  1. Email sample:
  2. ————————————————————————————————————–
  3. From: [email protected][REDACTED]
  4. To: [REDACTED]
  5. Subject: E 2017-08-09 (87).xls
  6. Date: Mon, 24 Jul 2017 07:51:08 +0000
  7. Attachment: “E 2017-08-09 (87).zip” -> “E 2017-08-09 (443).vbs”
  8. ————————————————————————————————————–
  9. – sender address is faked to look to be from same domain as recepient
  10. – subject is “E 2017-08-09 (<2-3 digits>).<doc|docx|xls|xlsx|jpg|tiff|pdf|jpg>”
  11. – email body is empty
  12. – attached file “E 2017-08-09 (<2-3 digits>).zip” contains file “E 2017-08-09 (<2-3 digits>).vbs” a VBScript downloader

These emails have a compressed file attached (zip) that use the same subject name, the attached file holds a VBS downloader script. The script contains one or more URLs that will be used to download the Locky ransomware executable to the Windows %Temp% folder and then execute it.

Once it executed, it will encrypt all files. The new Locky ransomware will then modify the file name and then add the “.diablo6.”, after that, it will remove the downloaded file (exe) and then display a ransom note to the victim that presents information on how to pay the ransom.

Sadly, it is not possible to recover the original files unless you pay a ransom of 0.49 Bitcoin (about $1,600 USD).

 

The following two tabs change content below.

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Latest posts by Unallocated Author (see all)

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Leave a Reply