Ransomware campaign pushes Locky and Globe Imposter in rotation

Locky ransomware authors work hardly again – new versions show up monthly

Locky virus’ authors probably are running out of names for the new versions of the ransomware project that currently contains more than ten different crypto-ransomware variants. The new version, which was released on September 18th^[1], 2017, features Ykcol name, which is Locky spelled backward.

Cyber security experts claim that malware developers tend to relax during summer holidays and head back to “work” in September, and a very similar thing happened in Locky’s case.

It seems that authors of the virus were idling during the summer, however, in the middle of August 2017 they presented an updated Locky variant called Diablo6^[2]. Shortly enough, they introduced Lukitus virus, which was rampaging worldwide for more than a month.

Finally, on September 18th the cybercrime gang released Ykcol ransomware version, which is currently being pushed via Necurs botnet.

Same old ransomware distribution techniques continue to deliver Locky to computers worldwide

Malware such as ransomware, trojans, spying software and basically every illegal computer program is mostly distributed using malicious spam, or, in other words, reach users in the form of a deceptive email attachment or a link.

Despite the fact that Locky ransomware authors are experienced enough to employ more sneaky distribution techniques involving exploit kits or malvertising, they tend to stick with malspam (in most cases).

The new version known as Ykcol is also promoted via spam campaign that delivers fake “Status of invoice” emails containing a .7z or .rar attachments with a .vbs file inside.

What’s new is that the new Locky variants are downloaded from domains that serve two different ransomware versions. Experts from TrendMicro have noticed^[3] that criminals are “rotating” the malicious payload served on malicious domains, changing Locky versions with Globe Imposter versions alternately.

Therefore, opening the malicious file at different times can drop a different version of ransomware. According to Novirus.uk^[4], this distribution trick also gives us a reason to believe that Globe Imposter and Locky developers can be from the same cybercrime group.

Typical message body found in the malware-laden emails is:

Hello,
Could you please let me know the status of the attached invoice? I appreciate your help!
Best regards,
[name]
[fake contact details]
* Kindly note we will be closed Monday in observance of Labor Day *

Once extracted and opened, the malicious VBS file will connect to a remote domain that contains Ykcol virus payload. It will be activated by the same VBS script that the victim unknowingly opens.

Ykcol malware encrypts all files stored on disk using RSA and AES encryption ciphers and drops ykcol.bmp and ykcol.htm files with data recovery instructions.

Cyber extortionists drop the price of the ransom in Ykcol variant

As usually, ransomware authors set a certain ransom price for all victims. Speaking of Locky, the malicious virus is known for its tendency to ask for half a Bitcoin per affected computer. However, although Lukitus and Diablo6 versions still used to ask for 0.5 or 0.49 Bitcoin from the victims, Ykcol dropped the price of ransom significantly.

In fact, the developers of Locky reduced the price of the ransom in Bitcoins in half. Therefore, now Ykcol demands 0.25 Bitcoin “only.” Such drop in the ransom price can be explained by the sudden increase of the Bitcoin value^[5].