As many as 23 million emails containing Locky ransomware were sent in 24 hours, say researchers.
Over 23 million emails containing Locky were sent in a short amount of time. Image: AppRiver
Once considered almost dead, Locky ransomware has continued its resurgence with a new email distribution campaign which researchers say is one of the largest malware campaigns of this half of the year.
Over 23 million messages containing Locky were sent in just 24 hours on 28 August, with the attacks spiking in time to hit US workers as they arrived at their desks on Monday morning.
The new campaign was discovered by researchers at AppRiver who say it represents “one of the largest malware campaigns seen in the latter half of 2017”
Millions of emails were sent with subjects such as ‘please print’, ‘documents’ and ‘scans’ in an effort to spread Locky ransomware.
The malware payload was hidden in a ZIP file containing a Visual Basic Script (VBS) file, which if clicked, goes to download the latest version of Locky ransomware – the recently spotted Lukitus variant – and encrypts all the files on the infected computer
Locky distribution email. Image: AppRiver
While the delivery method might seem basic, it’s worth remembering that only a handful for the millions of messages sent need to successfully deliver the malicious payload to provide the attackers with a significant profit.
Victims unfortunate to succumb to Locky are presented with a ransom note demanding 0.5 Bitcoins [$2,300/£1800] in order to pay for “special software” in the form of “Locky decryptor” in order to get their files back.
Instructions on downloading and installing the Tor browser and how to buy Bitcoin are provided by the attackers in order to ensure victims can make the payment.
Unfortunately for victims of Locky, researchers are yet to crack the latest version of the ransomware in order to provide free decryption tools.
Locky is one of the most successful families of ransomware of all time, rising to prominence during 2016 following a number of high profile infection incidents. Indeed, Locky was so successful that at one point it was one of the most common forms of malware in its own right.
But Locky has since had its position of king of ransomware usurped by Cerber, although this sudden resurgence shows that it remains very much a threat, especially as there isn’t a free decryption tool available to come to the aid of infected victims.
This isn’t the first time Locky has reappeared after a period of inactivity – the ransomware appeared to stop spreading in December last year before coming back to life in January.
While it has never reached the scale it had last year, those behind Locky are still working on it to add new tricks to make it stronger and easier to spread, meaning it still poses a threat.