The second wave of the Locky ransomware has been started!

Share if you likedShare on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn18

The wave has been discovered by security researchers from AppRiver, they have seen over 23 million messages (including Locky ransomware) sent in this attack, making it one of the largest malware campaigns that they have seen in the second half of 2017.

According to researchers:
“Each message comes with a ZIP attachment that contains a Visual Basic Script (VBS) file that is nested inside a secondary ZIP file. Once clicked, VBS file initiates a downloader that reaches out to greatesthits[dot]mygoldmusic[dotcom] to pull down the latest Locky Ransomware. Locky goes to work encrypting all the files on the target system and appending [.]lukitus to the users now encrypted files.”

The delivery method might seem basic, it’s deserving remembering that only a handful for the millions of messages sent need to successfully deliver the malicious payload to supply the attackers with some profit.

After the files have been encrypted, the attackers leave decryption guidance by replacing the desktop background to an image with guidance as well as a HTM file on the desktop named “Lukitus.htm”.

“The victim is instructed to install the TOR browser and is provided an .onion(aka Darkweb) site to process payment of .5 Bitcoins, which currently amounts to an eye popping $2,150. Once the ransom payment is made the attackers promise a re-direct to the decryption service. Here’s a look at that page:”

Share if you likedShare on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn18

Eslam Medhat

is a professional pen-tester with over 9 years of IT experience bringing a strong background in programming languages and application security, ranging from network and system administration to exploit research and development. He reported various vulnerabilities for high profile companies and vendors and was successfully acknowledged by them.

Leave a Reply