Cybercriminals are becoming more and more skilled regarding technological advancement and sophisticated planning techniques. The latest ransomware campaign is a true case of how hackers can trap users and cause widespread damage by simple tweaking of an already lethal malware.
According to security experts at AppRiver, the notorious Locky ransomware is back in action with utmost evilness. In the latest campaign attackers have sent out malicious Locky ransomware via a whopping 23 million infected emails.
AppRiver has posted a sample email that shows how effortlessly attackers managed to affect so many devices at once. The email has just a single sentence “download it here” and the sender’s name while the subject line is also chosen randomly from a standard list. There are simple terms used in the whole email such as documents, images, photos, pictures, and scans while ‘please print’ is the most complex phrase.
Sample email (Credit: AppRiver)
The attackers have tried to benefit from the naivety and unsuspicious nature of a large number of internet users. When one is launching ransomware to 23 million potential targets, then the campaign is bound to claim some victims. Those who did fell prey to this trap had to pay a considerable sum to regain access to their files, which at the time of this writing was about .5 Bitcoin (more than $2300) for a single device. You can easily imagine if there were even one or two thousand compromised devices out of the 23 million then the attackers would have easily made a few million dollars.
[q]Do not open unknown and/or spam emails[/q]
The latest attack is quite dangerous. The malware traffic outrage started on Monday at around 7 a.m. CST, exactly when workers in the US arrive at offices. They were welcomed by malicious, ‘extremely vague’ emails sitting in their inboxes, stated AppRiver security research manager Troy Gill.
The email contained a ZIP file attachment, which was a VBS (Visual Basic Script) file. Inside this attachment was another ZIP file. When the user clicked this second file, a downloader was executed, and the modified version of Locky was unleashed via “greatesthits[dot]mygoldmusic[dot com]” stated the AppRiver post.
Once downloaded, Locky ransomware starts encrypting entire data on the infected device and adds [.]lukitus to them. When encryption stage is completed, the attackers change computer’s desktop background with another image on which the instructions for decryption are noted and an HTML file named “Lukitus[dot]htm” is uploaded. Unsurprisingly, the victim is asked to install TOR browser first and then sent a Darkweb link for paying the demanded ransom. When the payment is received, the victim is redirected to decryption service.
A post from AppRiver informed that the campaign was launched all across the US earlier this week and it is reportedly one of the largest ransomware attacks in 2017’s second half. It is worth noting that ransomware remains the biggest cyber-threat since 2016 and its intensity has only increased over time with a 600% increase in ransomware attacks in comparison to last year. Last year Locky was the dominating malware while this year the top slot has been claimed by Cerber variants so far until Locky made a full throttle come back recently.
According to Gill, the attacks haven’t subsided or stopped yet, as per the post, AppRiver detected over 5.6 million messages on Monday and still there is no information about any method to reverse the Locky ransomware strain.
Therefore, to help out the users, AppRiver suggest regular updating of their computers’ software and hardware with security patches so that all the flaws and vulnerabilities are fixed timely, and ransomware or other malware exploits are prevented. In this regard, automatic software updates are your best bet, but you can also customize settings to get the newest updates regularly.
Moreover, it is important to install email and web protection software too so that ransomware is prevented from entering the network. Lastly, creating data backup always works because it lets you restore your important data and you are spared from paying such hefty sum to cyber criminals.
