Ykcol sneaks into users' system via .7z email attachments
There have been written so many articles about Locky ransomware (which again requires 0.5 BTC in ransom) reading alarming articles about its after-effects might have become dull. One of the distinguishable features is that it sticks to the same distribution campaign – spam emails; however, at the same time, it remains undecryptable. Thus, one might wonder how it still poses such a threat.
Six ransomware-delivering campaigns
Recent versions: Diablo6, Lukitus and now Ykcol have been grouped into one campaign called IKARUSdilapidated. They have struck the virtual community via a couple of consecutive campaigns. The only difference is the alternative browser extensions.
Furthermore, further investigation reveals that Necurs botnet has been delivering Ykcol malware. Though there are slight variations in these viruses, the developers exhibit a tendency to use invoice emails. What is more, the latest version switched to .7z extension instead of previously used .zip and .rar folders.
Here is a brief overlook of the recent spam campaign:
- Status of invoice. The corrupted folder with the VBDS script and Locky downloader is placed in the [8-alphanumeric.value]-[2-numeric value].7z. The email asks to check: Hello, Could you please let me know the status of the attached invoice? I appreciate your help!
- The emai,l which is called as Message from km_c224e, hides the ransomware in the .7z folder with a long numeric code and date included. This version operates solely offline in contrast to the above-discussed method. the same subject topic has been noticed in the Jaff ransomware campaign as well.
- HERBALIFE Order Number: [10-alphanumeric value] campaign delivers Locky placed in a _1.7z folder. Note that Herbalife company is a legitimate company located in the US. It is not the first time when Locky developers continue exploiting the name of the official institution.
- This wave is a counterpart of the first one as it urges users to check the status of the invoice. .rar folder bears the payload of the file-encrypting virus. There are also variations: Your payment [number].
- Emailing [number] campaign contains Ykcol ransomware in .7z folder. The malware functions in an offline mode.
- “New voice message” is by far the most intriguing. It appeals to users with “new voice message [number from [number]” email subject. Needless to say what happens after a user opens up the message.
Note that Locky developers also diverted to disguising the malware under fake Dropbox verification email. Unfortunately, the message delivering Ykcol or any other Locky variation with a counterfeited Dropbox request is well-developed as it does not contain any visible grammar mistakes, typos or other indicators of a fake message.
Nonetheless, pay attention to the sender. If you haven't requested for a password reset or signed up, such notification should evoke more than suspicion.
The weaknesses of Locky ransomware
Despite its “boring” distribution network, it remains to be a major headache for both, IT experts and users. However, despite how elaborate it is, users can escape getting infected with the malware. Consider above-discussed distribution campaigns. You should treat every email sent from an unknown sender, especially if it is a supposedly official institution.
Lastly, the cases of Facebook message virus reminds that you need to treat shady links and attached files with care, even if they are sent by your contacts. Double-checking and inquiry may cost a second of inconvenience but save your valuable personal data.