The second wave of the Locky ransomware has been started!

  •  
  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    1
    Share

The wave has been discovered by security researchers from AppRiver, they have seen over 23 million messages (including Locky ransomware) sent in this attack, making it one of the largest malware campaigns that they have seen in the second half of 2017.

According to researchers:
“Each message comes with a ZIP attachment that contains a Visual Basic Script (VBS) file that is nested inside a secondary ZIP file. Once clicked, VBS file initiates a downloader that reaches out to greatesthits[dot]mygoldmusic[dotcom] to pull down the latest Locky Ransomware. Locky goes to work encrypting all the files on the target system and appending [.]lukitus to the users now encrypted files.”

The delivery method might seem basic, it’s deserving remembering that only a handful for the millions of messages sent need to successfully deliver the malicious payload to supply the attackers with some profit.

After the files have been encrypted, the attackers leave decryption guidance by replacing the desktop background to an image with guidance as well as a HTM file on the desktop named “Lukitus.htm”.

“The victim is instructed to install the TOR browser and is provided an .onion(aka Darkweb) site to process payment of .5 Bitcoins, which currently amounts to an eye popping $2,150. Once the ransom payment is made the attackers promise a re-direct to the decryption service. Here’s a look at that page:”

The following two tabs change content below.

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at latesthackingnews.com, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

Leave a Reply