Is WannaCry Back? Suspicious ransomware attack hit LG Electronics

LG Electronics were hit by ransomware that uses the identical code as WannaCry

LG Electronic’s self-service kiosks in South Korea was hit by ransomware on Monday, August 148. According to the primary investigation data,^[1] malware used the code that is identical to WannaCry which caused worldwide havoc in May.^[2]

Fortunately, the company shut down the network immediately, and ransomware hasn't encrypted any files. The issue was reported to Korea Internet & Security Agency (KISA) that helps to investigate the issue.

Nevertheless, LG officially claimed that they had installed all necessary security updates in order to avoid WannaCry; it might not be true. Currently known variants of WannaCry launch the attack by exploiting Microsoft SMB vulnerability. Therefore, users were warned numerous time to patch this security flaw to protect personal or business information^[3].

However, until the official statement about the attack is not released, it’s only assumptions. If the company has patched their system and still suffered from the WannaCry, it might be the start of a new distribution campaign of the hazardous file-encrypting virus.

In the shadow of the WannaCry: new variants of Locky virus emerge

WannaCry invasion in May was definitely the biggest cyber attack this year that does not descend to Locky virus appearance last year. However, after months of silence, cyber criminals return with new versions of the infamous cyber threat – Diablo6 and Lukitus.^[4]

It seems that developers of ransomware take advantage of the never-ending discussions about WannaCry and distribute new malicious programs in silence. Indeed, judging by the latest security news, there was not much attention given to the active distribution of latest Locky’s variant.

Malware, known as Lukitus, is expected to expand soon and take millions of files to hostage. Currently, it has been actively spreading via malicious spam emails that do not have a subject line or have “Emailing [random characters] title.

The letter itself includes a zip or rar archives that include obfuscated JS files. Once they are opened, they download malware payload from one of these domains and executed on the system (please, do not try to check these sites yourself; it might be dangerous!):

• http: // angel demon [.] com / jbYUF6D
• http: // Antibody Services [.] net / jbYUF6D
• http: // ttytreffdrorseder [.] net / of / jbYUF6D
• http: // asliozturk [.] com / jbYUF6D
• http: // antwerpiastamps [.] BE / jbYUF6D

For communication with Command and Control (C&C) server, the Lukitus virus uses Domain Generation Algorithm (DGA) that uses a bunch of malicious domains, such as:

• http: // sorqjivpyfrwlo [.] Click / imageload.cgi
• http: // dxeqiniexovy [.] org / imageload.cgi
• http: // kokalgfsnepogq [.] ru / imageload.cgi
• http: // kljidoejmiqx [.] org / imageload.cgi
• http: // jcanepkjyu [.] biz / imageload.cgi

As soon as all malicious files are installed on the system, ransomware starts encrypting files, renaming them and appending .lukitus file extension. Then it delivers ransom demanding message in lukitus.htm and lukitus.bmp files that inform about necessity to obtain Locky decryptor for 0.49

Backup, update and stay safe: tips to avoid ransomware

Online community should be prepared for the comeback of WannaCry and Locky. Therefore, it’s time to update backups, install all available security and software updates, and remember email security recommendations.^[5]

• Stay away from spam emails.
• Do not open attachments in unknown emails.
• Do not click on unknown links included in the email.
• Before opening provided content look up for grammar or spelling mistakes that might identify cyber criminals.
• Check the information about the sender online.

Finally, if you have suffered from ransomware, please do not pay the ransom and do not sponsor further cyber crimes!