Criminals behind Locky and Mamba ransomware are back in business

The most dangerous cyber criminals do not take a break – new ransomware attacks spotted in August 2017

Ransomware developers, just like regular people, do not like to spend summer time sitting in front of a computer, so the activity of these malicious viruses usually slows down noticeably during the warm season. Unfortunately, that cannot be said about developers of disastrous viruses.

It seems that authors of the most dangerous ransomware viruses of 2017 introduced their extortion tools to the world exactly during the summer. The first one to step in was WannaCry^[1], which was used during the global cyber attack in May. A little later, NotPetya/Petya made its debut^[2], infecting thousands of computers across the globe.

For a while, it seemed that ransomware developers decided to take a break during summer holidays. Unfortunately, the calm period didn’t last that long – in August 2017, Locky made a comeback with Diablo6 ransomware version^[3], and the cyber gang behind disastrous Mamba ransomware started spreading the malicious software again.

The comeback of Locky

For a while, it seemed that Locky ransomware stepped aside and allowed the infamous Cerber virus to dominate. Although it was always there, no exceptionally big distribution campaigns were noticed.

However, on August 9th, 2017, Locky virus made a comeback, introducing the new Diablo6 version. The virus is heavily distributed via two spam campaigns that deliver malicious files set to download the virus from compromised domains. Let’s overlook these campaigns – it can help you to recognize the malicious emails!

The first spam campaign used by Diablo6 relies on messages with a subject line similar to E 2017-08-10 (478).docx. The date and the numbers might differ. The email contains a short message “Files attached. Thanks” and a ZIP attachment named 2017-08-10 (478).ZIP. This archive contains a VBS script that, once executed, connects to malicious domains, downloads and executes Locky Diablo6.

The second spam campaign spreads malicious PDF files called as IMG_5342.pdf. The numbers may differ, but the innocent look of the file can convince inexperienced users to open it. The PDF file contains an embedded DOCM file with Macros in it. Traditionally, one needs to activate Macros by enabling content in order to start the malicious process that downloads Locky from a remote server. The ransomware gets executed instantly.

Considering how dangerous Locky is^[4], users should take every possible action to protect their computers from this disastrous virus. Installing a decent security program and creating a data backup are the basics you should start with. It goes without saying that staying from unexpected email messages is a must, too.

Mamba returns and hits Saudi Arabia, Brazil

If you have never heard about Mamba ransomware, we can say two facts about it – it is a disk-encrypting ransomware, and it managed to infect the entire San Francisco Municipal Railway network^[5], allowing people to take free rides until the computer system was fixed.

It seems that the virus returned and spreads rapidly. Cyber security experts have already reported that several companies in Saudi Arabia and Brazil fell victims to Mamba ransomware.

The cyber crime gang behind Mamba uses psexec utility to run the ransomware on a compromised system. Each computer in the compromised network gets a different password for a DiskCryptor utility that the ransomware uses to corrupt data. Once the encryption is complete, the virus reboots the system and displays a note on the screen. The virus suggests writing to mrcrypt2017@yandex.ru or citrix2234@protomail.com “for key.”

Mamba virus doesn’t provide the price of the decryption key like other crypto-ransomware viruses do. Instead, it decides how much money to ask from the victim based on the number of computers infected.