The dreadful ransomware is back with two new variants namely, ‘Diablo’ and ‘Lukitus’.
Security researchers have recently spotted two new Locky Ransomware strains Diablo and Lukitus. Like other types of crypto-locking ransomware, they are also designed to encrypt files on a PC and demand a ransom in exchange for the decryption key. These new variants were reported by researchers on August 16th 2017.
“Ransomware is more about manipulating vulnerabilities in human psychology than the adversary’s technological sophistication”.
Locky has been one of the major forms of ransomware which became globally successful. First time it appeared in 2016 and by the end of year it disappeared. But if you think that it no longer poses a threat then you are wrong. After going dark, Locky is back with Necurs botnet which is one of the largest botnets used for attacks.
From August 9th onwards Locky has made another reappearance using a new file extension “.diablo6” to encrypt files with the rescue note: “diablo- .htm”. Diablo calls back to a different command and control server. Along with it, there is another new variant which adds the extension ‘.Lukitus’ to encrypted files.
Interestingly, Lukitus means locking in Finnish.
The new campaign sends spam emails in the form of PDF attachments with embedded .DOCM files. If the user downloads the attachment and enable macros as requested, they will lost access to the files on their computer.
Once all the data is encrypted, it demands a ransom if the owners wish to receive the private key to decrypt the data. Locky is less prevalent but it is still a serious threat due to its strong cryptography.
This campaign is an eye opener for all of us, who assumed that Locky is gone simply because it’s not active for a specific time. This is not the first time that Locky has reappeared, it remains shrouded in mystery for sometime and then appears with new infections.
The sudden reappearance of Locky can be related to the decryption tools for Jaff ransomware that was made available in June. Jaff appeared in May and was spread by the same Necrus botnet used to distribute Locky.
This proves that ransomware is not going to leave us soon, so we need to keep on developing new strategies and techniques to fight them.
Locky variants, callback to a different command and control server (C2) and use the affiliate id: AffilID3 and AffilID5