Buzz
Some of the most notorious attacks involving Locky primarily target critical services, including hospitals in the United States.
In February 2016, Locky disrupted the Presbyterian Healthcare Services center in Hollywood, USA, prompting a state of emergency declaration due to the center's systems, databases, and vital information being encrypted and locked.
Alert: New variant of Locky ransomware poses significantly heightened threat
Hospitals relying on electronic records for patient care and managing everything from appointments to care activities also face catastrophic disruptions in data backups, being forced to pay $17,000 in Bitcoin to unlock their data.
Locky is also linked to a ransomware campaign that occurred in August this year, involving up to 23 million fraudulent emails sent within just 24 hours.
According to a recent study by Cylance, a relatively new variant of Locky named Diablo6 has been discovered, engineered to evade detection and removal by traditional antivirus applications as well as end users.
In a blog post, the research team revealed that Diablo6 will execute a two-phase attack. The first phase involves a typical ransomware attack vector - phishing emails containing a .zip archive carrying the new Locky variant.
These emails will masquerade as legitimate correspondence, but the attached files actually contain VBS files. When opened and unpacked, they attempt to connect to Locky's Command-and-Control (C&C) server for instructions.
New variant of Locky ransomware poses heightened threat
If the connection is successful, the VBS script will download the ransomware. However, if this phase fails, the C&C backup server will attempt to upload the payload.
The term 'enterprise' is used during the connection process to trick users into believing it's a legitimate business utility. Meanwhile, the VBS script employs a string to parse and execute commands. It then downloads the payload and stores it in a temporary directory before execution and encryption of files.
Alert: New variant of Locky ransomware poses significantly heightened threat
Locky ransomware variant Diablo6 targets all file types for encryption, including images, videos, backups, and zip files. After the encryption process completes, victims are presented with a ransom demand on their screens, and the encryption script self-deletes.
Domains connected to the email address mail.com have been associated with Locky, with a total of 333 domains registered in 2016 and recently in October this year.
Researchers are using registered domains to track Locky ransomware, which may also be linked to other ransomware variants.
'In some cases, attackers may make slight modifications to their code to evade detection by end users because that's when attackers distribute their malware,' said Cylance.
'This could very well be a Locky ransomware attack. With minimal effort, the perpetrators behind Locky just need to tweak a single part of the process that end users can never fix,' they added.
In other words, when malware becomes sophisticated enough to generate fake revenues, new attack vectors, such as a series of email campaigns, are all it takes to sustain illicit operations.
This month, researcher Matthew Mesa of ProofPoint also discovered a new ransomware strain dubbed GIBON, a fresh variant utilizing macros embedded in malicious documents to propagate through phishing campaigns, locking users' computers. However, as this is a new ransomware believed to be a variant of one of the most dangerous ransomware of all time, Locky, its targets, demographics, or origins are yet to be determined.
To guard against worst-case scenarios, it's advisable to download and use antivirus software on your computer. There are many antivirus software options available, such as KIS and BKAV, for you to choose from.
