Locky Developers Sent Out 23 Million Emails Containing Lukitus Ransomware Variant In Just 24 Hours

Locky Ransomware Resurges Again Using 23 Million Corrupted Emails

Locky Ransomware is one of those infections that continue to resurface periodically. Once the developer of this malicious threat realizes that the used distribution methods stop working – and that might happen if security vulnerabilities are fixed or when users are informed about the threat – the infection disappears. After some time (usually, a couple of months), the ransomware re-emerges again. The latest variant of the malicious infection is spread using a compromised spam email, and the files it encrypts get the “.lukitus” extension appended to their names. Fun fact, “lukitus” translates to “locking” from Finish. Now, it is unlikely that the threat originates from Finland, but that is not something that can be denied either. According to the latest information presented by Troy Gill at appriver.com, 23 million spam emails have been sent to distribute this version of the devious Locky Ransomware.

As discussed in the 2017 Q2 Malware Trends report, Locky Ransomware is one of the most prevalent infections today. Since 2016, when it was released first, this infection has been considered to be the second largest ransomware threat right after the infamous Cerber Ransomware. In the recent past, this threat was usually introduced to unsuspecting users via spam emails containing normal-looking Microsoft Word Document or Excel files with corrupted macros. When the threat started spreading first, it would append the “.locky” extension to the corrupted files, which is where the original name of the threat comes from. Since then, versions appending “.zepto,” “.odin,” “.shit,” “.thor,” “.aesir,” “.zzzzz”, and “.osiris” extensions were uncovered. The latest version, as it was mentioned already, attaches the “.lukitus” extension. This variant of Locky is introduced to victims as a ZIP file. Within the file, there is another ZIP file, and this one contains a .VBS file. It is enough to open the file to execute the ransomware.

Some ransomware infections use elaborate messages to trick users into opening corrupted spam email attachments. The Lukitus variant of the Locky Ransomware is on the opposite end of the spectrum. Instead of trying to convince you that you need to check a post order or confirm a flight, it provides minimal information. Tara Seals at infosecurity-magazine.com concludes that there are two different versions of the email that the victim might receive. One of them might mimic an email sent from a scanner or printer, which is a scam that is most likely to be successful in bigger organizations where employees send documents to allocated emails for printing. To make the corrupted emails look more authentic, the model number of the printer could be added. In another version, Lukitus is specifically targeted at those speaking French, and the corrupted file is represented as a bill (“FACTURE”). If the ransomware is represented using a .VBS file, it might communicate with greatesthits.mygoldmusic.com. After that, the encryption of personal files found on the infected system is started.

When the files are encrypted by the Lukitus Ransomware, the Desktop background image is changed, and a new file called “Lukitus.htm” is placed on the Desktop. The files are encrypted using complex RSA-2048 and AES-128 ciphers, and so decrypting files manually is impossible. At the time of analysis, legitimate, free file decryptors that could crack the encryptor used by this malware did not exist as well. It appears that the infection’s creator has a good chance at making the victims pay a ransom, which appears to be 0.5 BTC. Right now, that is around $2300 or €1920. Considering that free file decryptors do not exist – at least, not right now – and that the infection is spread using millions of corrupted emails, there is a great possibility that cyber criminals will be able to force some victims into paying the ransom. Unfortunately, that is unlikely to help victims to get their files back. Just like the majority of other ransomware creators, the creator of Locky Ransomware will not help you decrypt your files if you fulfill their demands.

It is crucial that victims remove Locky Ransomware, but it is also important that they take measures to ensure that this threat does not invade their operating systems in the future. Users who have not faced ransomware yet should take care of that as well. First and foremost, it is essential that users keep up with all security updates because many ransomware threats exploit existing security vulnerabilities to invade operating systems. Second, authentic anti-malware software can be the best guardian against ransomware, as well as many other kinds of infections, which is why it must be installed at all times. Third, setting up data backups is crucial. If files are backed up securely, they are safe even when ransomware slithers in successfully. Finally, if users want to keep malware away, they have to make sure that they do not do anything that could help malicious threats get in, which includes not opening random emails and files attached to them, downloading unfamiliar software, clicking on random links and advertisements, and visiting malicious websites.