The Hacker News — Cyber Security, Hacking, Technology News

Whenever we feel like the Locky ransomware is dead, the notorious threat returns with a bang.

Recently, researchers from two security firms have independently spotted two mass email campaigns, spreading two different, but new variants of the Locky ransomware.

Lukitus Campaign Sends 23 Million Emails in 24 Hours

The campaign spotted by researchers at AppRiver sent out more than 23 million messages containing Locky ransomware in just 24 hours on 28 August across the United States in what appears to be one of the largest malware campaigns in the second half of this year.

According to the researchers, the emails sent out in the attack were "extremely vague," with subjects lines such as "please print," "documents," "images," "photos," "pictures," and "scans" in an attempt to convince victims into infecting themselves with Locky ransomware.

The email comes with a ZIP attachment (hiding the malware payload) that contains a Visual Basic Script (VBS) file nested inside a secondary ZIP file.

Once a victim tricked into clicking it, the VBS file starts a downloader that downloads the latest version of the Locky ransomware, called Lukitus (which means "locked" in Finnish), and encrypts all the files on the target computer, and appends [.]lukitus to the encrypted data.

After encryption process ends, the malware displays a ransomware message on the victim's desktop that instructs the victim to download and install Tor browser and visit the attacker's site for further instructions and payments.

This Locky Lukitus variant demands a sum of 0.5 Bitcoin (~$2,300) from victims to pay for a "Locky decryptor" in order to get their files back.

This Lukitus attack campaign is still ongoing, and AppRiver researchers had "quarantined more than 5.6 million" messages in the campaign on Monday morning.

Sadly, this variant is impossible to decrypt as of now.

2nd Locky Campaign Sends over 62,000 Emails

In separate research, security firm Comodo Labs discovered another massive spam campaign earlier in August, which sent out over 62,000 spam emails containing a new variant of Locky ransomware in just three days in the first stage of the attack.

Dubbed IKARUSdilapidated, the second variant of Locky ransomware has been distributed using 11,625 different IP addresses in 133 different countries—likely made of a botnet of "zombie computers" to conduct coordinated phishing attacks.

According to security researchers at Comodo, "this is a large-scale, email-based ransomware attack in which a new Trojan malware variant appears as an unknown file and can slip into unsuspecting and unprepared organizations' infrastructures."

The original attack that was first identified on August 9 and lasted three days utilized spam email messages that also contained a malicious Visual Basic Script (VBS) attachment, which if clicked, follows the same functioning as mentioned in the above case.

The cyber criminals operating Locky's IKARUSdilapidated variant demands ransom between 0.5 Bitcoin (~$2,311) and 1 Bitcoin (~$4,623) to get their encrypted files back.

This massive Locky ransomware campaign targets "tens of thousands" of users across the globe, with the top five countries being Vietnam, India, Mexico, Turkey, and Indonesia.

Here's How to Protect Yourself From Ransomware Attacks

Ransomware has become one of the biggest threats to both individuals and enterprises with the last few months happening several widespread ransomware outbreaks, including WannaCry, NotPetya, and LeakerLocker.

Currently, there is no decryptor available to decrypt data locked by above Locky ransomware variants, so users are strongly recommended to follow prevention measures in an attempt to protect themselves.

Beware of Phishing emails: Always be suspicious of uninvited documents sent via an email and never click on links inside those documents unless verifying the source.

Backup Regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.

Keep your Antivirus software and system Up-to-date: Always keep your antivirus software and systems updated to protect against latest threats.

Ransomware has been around for a few years, but in last two years, it has become one of the fastest growing threats to businesses and users across the world, so will be in 2017.

Ransomware is a piece of malware that encrypts files on your computer with strong encryption algorithms and then demands a ransom money in Bitcoin to decrypt the data so you can regain access to your encrypted files.

We have seen some nastier ransomware infections over the past couple of years. The most interesting one was Popcorn Time that decrypts victims files for free if they pass the infection on to other people.

Now, a new strain of ransomware takes the infection to a whole new level of craziness.

Dubbed Koolova, the ransomware will restore your encrypted files for free, just like Popcorn Time. The only difference between both the infections is that you don't have to infect others to get free decryption key.

Instead, all you have to do is educate yourself about ransomware by reading two cyber security awareness articles about avoiding the infection.
Discovered by security researcher Michael Gillespie, the Koolova ransomware is not professionally coded and appears to be a work in progress.

The ransomware requires a lot of technical knowledge to get to the ransom demand screen that asks victims what they need do in order to avoid erasure of their data.

Once infected, Koolova encrypts the victim's files and then displays a warning screen where the text tells the victim to open and read two articles before they can get the ransomware decryption key.

If the victim is too lazy to read both articles, Koolova starts a countdown that if gets to zero, the ransomware will delete the encrypted files like Jigsaw malware.

But once the victim reads both articles, the Decrypt My Files (Decripta i Miei File) button becomes available. On clicking this button, Koolova will connect to the Command-and-Control (C&C) server and retrieve the decryption key.

The victim will then be able to take that decryption key and enter it into the key field to decrypt files.

Although the motive behind the ransomware attack is not to harm people, these kinds of actions are considered to be illegal in many countries. On January 1, a new law went into effect in California that outlaws the use of ransomware.

Do you consider educating people about any threat like this a good practice? Hit the comments below.

No More Ransom, so is the Ransomware Threat.

The European Police agency Europol has joined forces with police and cyber security companies to launch a worldwide initiative to combat and tackle together the exponential growth of Ransomware used by cyber criminals.

Europol announced today the initiative, dubbed NO More Ransom, that has been backed by technology giant Intel, cyber security firm Kaspersky Lab and the Netherlands police, aiming at decreasing an "exponential" rise in Ransomware threat.

Ransomware is a piece of malware that typically locks victim's device using encryption and demands a fee to decrypt the important data. The estimated number of ransomware victims tripled in the first quarter of this year alone.

"For a few years now ransomware has become a dominant concern for EU law enforcement," said Europol's deputy director Wil van Gemert. "We expect to help many people to recover control over their files, while raising awareness and educating the population on how to maintain their devices clean from malware."

No More Ransom

This No More Ransom initiative informs the public about the dangers of ransomware threat, how to avoid falling victim to it and how to recover data without paying money to cyber-criminals if a person or company falls for one.

Also Read: Ransomware attacks on Hospitals put Patients at Risk

The new No More Ransom online portal provides users with downloadable tools that may help decrypt computers affected by ransomware attacks.

In its initial stage, NoMoreRansom.org contains four decryption tools for ransomware, including the notorious CryptXXX and the CoinVault and Bitcryptor families.

"We can only change the situation if we coordinate our efforts to fight against ransomware," said Jornt van der Wiel, security researcher at Kaspersky.

The portal also provides a "Crytpo Sherrif" section that allows people to upload more ransomware malware samples and a description to identify the type of ransomware threat affecting a system.

We saw an enormous rise in Ransomware, both in numbers and sophistication. The latest version of Cerber ransomware is so sophisticated that it generates a different sample in every 15 seconds to bypass signature-based antivirus software.

Must Read: Ransomware attacks Shuts Down Electric and Water Utility

One of the best advice to keep yourself safe from this emerging threat, is to backup all your important data regularly. Don't pay criminals the ransom, as it motivates them to keep on infecting a large number of people.

Some organizations have paid cyber criminal's demands, including the University of Calgary in Alberta, which paid $20,000 ransom to decrypt its computer systems' files and restore access to its own email system after getting hit by a ransomware infection.

In addition, you are always advised to keep your software up-to-date, use a reputed antivirus solution, and trust no one while opening any email or message attachments.