Locky returns with a new spam email campaign

Withdrawal from the fame in the dark web was just a silence before the storm for the Locky ransomware. Malwarebytes Cyber tactics and techniques Q1 2017 report made us questioning[1] what have happened to this hazardous cyber threat, and gave us hope that cybercriminals decided to leave this shady business. However, authors of the ransomware probably have been laughing at these talks while preparing a new spam campaign. Recently, malware researchers have spotted a new wave of spam emails that include this parasite.[2] Thus, it seems cybercriminals decided to come back and earn more money from innocent computer users.

Locky ransomware started spreading again via malicious spam emails

The new malicious spam email campaign tries to convince people that they have received payment. Users can recognize these emails by their subject lines, such as “Payment Receipt 2724,” “Payment Receipt_739,” “ Payment#229,” “Receipt 435” etc. These numbers might change and vary, as well as senders’ names and email addresses. Nevertheless, crooks pretend to be from various organizations and companies; they use random people names and contact details. Thus, if you decide to call a provided number to get more information or look up for the information about the sender online, you will not find anything that you are expecting. Though, before opening spam emails and especially documents attached to them, you should learn to recognize a suspicious email.[3]

The malicious emails have an attached PDF document which is named with a random string of letter and numbers, for instance, P72732.pdf. Obviously, this obfuscated document includes Locky virus. Nevertheless, this malicious file has a .pdf extension; after clicking on it, it opens a Word file. Indeed, this activity should look suspicious, and users are supposed to close this document immediately. However, a notification informing about a necessity to enable Macro commands might stop some people. The alert states that the file is protected and users need to click “Enable Content” button in order to see it. But instead of that, users download Locky binary. Indeed, the same trick cyber criminals have used before.[4] Malware is saved in %Temp%\redchip2.exe directory and executed. Immediately it starts encrypting files RSA-2048 and AES-128 algorithms and appends .OSIRIS extension.

The most dangerous cyber threat of 2016 is still undecryptable. Thus, it’s better to take all possible precautions and be cautious with received emails if you do not want to pay the ransom for developers of Locky. Though, you should be prepared for the worst. We highly recommend making data backups.[5] In case of emergency, they will be more than important.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions