Ransomware, Breach, Content

Locky Ransomware Variant Found in New Email Phishing Campaign Attack

Large-scale, email-based ransomware attacks were launched this month that leveraged a variant of the "Locky" Trojan family, according to global cybersecurity solutions provider Comodo.

The ransomware attacks began August 9, and more than 62,000 instances of phishing emails related to the Locky malware variant were detected at Comodo-protected endpoints over the course of three days, the company said in a prepared statement.

As part of the ransomware attacks, the Locky malware variant appeared as an unknown file and slipped into organizations' infrastructure, Comodo noted.

At least 11,625 different IP addresses were used to perform the campaign, Comodo stated. The IP addresses were located in 133 different countries, Comodo said, and the countries housing the most servers were Vietnam, India, Mexico, Turkey and Indonesia.

In addition, cybersecurity and antimalware software provider Malwarebytes this month discovered two Locky malware variants.

Locky reappeared using a new file extension ".diablo6" on August 9, Malwarebytes said in a prepared statement. Also, a Locky variant that included the extension ".Lukitus" was found August 16.

What Is Locky?

Locky first appeared in 2016 and is generally distributed via spam emails that contain a malicious Microsoft Office file or ZIP attachment.

The ransomware is delivered by email with an attached file that contains malicious macros. When the file is opened, it activates a file-encrypting ransomware payload that can harm end users.

Locky malware variants show the increasing sophistication, organization and size of new ransomware attacks. Meanwhile, these attacks are unlikely to slow down any time soon, and organizations must prepare accordingly.

How to Prepare for Ransomware Attacks

Sixty-two percent of organizations suffered a ransomware attack last year, according to the "2017 State of Cyber Security" study conducted by the Information Systems Audit and Control Association (ISACA).

The ISACA pointed out there are many steps that organizations can take to prepare for ransomware attacks, and these steps include:

  • Teach employees about ransomware. Provide ransomware training and ensure employees maintain their skills using technical training and performance-based assessments.
  • Foster communication. Share information about cyber threats to help employees stay up to date about cybersecurity.
  • Prioritize cybersecurity. Allocate the necessary time and resources to employ skilled cybersecurity professionals and develop in-depth plans to prepare for cyber threats.

A "default-deny" security posture may help organizations identify and remediate cyber threats as well, according to Comodo.

With this security posture, organizations can stop new, "unknown" files from entering their IT infrastructure, Comodo stated.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.