The wave has been discovered by security researchers from AppRiver, they have seen over 23 million messages (including Locky ransomware) sent in this attack, making it one of the largest malware campaigns that they have seen in the second half of 2017.
According to researchers:
“Each message comes with a ZIP attachment that contains a Visual Basic Script (VBS) file that is nested inside a secondary ZIP file. Once clicked, VBS file initiates a downloader that reaches out to greatesthits[dot]mygoldmusic[dotcom] to pull down the latest Locky Ransomware. Locky goes to work encrypting all the files on the target system and appending [.]lukitus to the users now encrypted files.”
The delivery method might seem basic, it’s deserving remembering that only a handful for the millions of messages sent need to successfully deliver the malicious payload to supply the attackers with some profit.
After the files have been encrypted, the attackers leave decryption guidance by replacing the desktop background to an image with guidance as well as a HTM file on the desktop named “Lukitus.htm”.
“The victim is instructed to install the TOR browser and is provided an .onion(aka Darkweb) site to process payment of .5 Bitcoins, which currently amounts to an eye popping $2,150. Once the ransom payment is made the attackers promise a re-direct to the decryption service. Here’s a look at that page:”