<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1018517621595528&amp;ev=PageView&amp;noscript=1">
Barkly vs Malware
Jonathan Crowe
Aug 2017

Locky Ransomware is Back (and Barkly Still Blocks it)

Photo by Source

UPDATE: Researchers have observed more than 23 million phishing emails distributing Locky in a period of just 24 hours, making it one of the largest malware campaigns of 2017.

Locky is clearly back in a big way. The good news is Barkly blocked both of these new variants automatically, without any updates necessary.  

If your company was infected with ransomware in the second half of 2016, chances are it was Locky. According to researchers at Proofpoint, at the height of its distribution in Q3 2016, Locky accounted for an astounding 96.8% of all malware payloads distributed via email.

Aside from a brief resurgence in April 2017, however, the once ubiquitous ransomware has been mysteriously quiet this year, leaving some experts to speculate whether the criminals behind Locky had perhaps moved on to more targeted (and potentially more lucrative) attacks.

Old habits die hard, though, and after months of silence it looks as though the group is back to its old tricks. On August 9, researchers spotted Locky roaring back with a new campaign of spam emails distributing a new "Diablo6" variant to victims worldwide.

Over the course of just three days, security provider Comodo noted 62,000 phishing emails with the new variant being delivered to their customers, alone. 

Three weeks later, email security provider AppRiver observed an even more massive campaign that makes the previous look like a trial run. This time around, more than 23 million phishing emails were seen distributing Locky in a span of just 24 hours. The payload is slightly different, too — appending ".lukitus" (which means "locking" in Finnish) to files. 

Let's take a closer look at the new variants and see what they look like in action.

Videos: Watch Barkly block the new Locky variants 

Watch the videos below to see what a Locky Diablo6 infection and a Locky Lukitius infection looks like in action: 

Diablo6 variant:

 
 
 
 
 
1:14
 
 
 
1:14
 
 
 
 
 
 
 
 
 
 
Wistia video thumbnail - Barkly-vs-Locky-Diablo6
 

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?

Cancel
message
 
 
 
 
 
 
 

 

Lukitus variant:

 
 
 
 
 
2:06
 
 
 
2:06
 
 
 
 
 
 
 
 
 
 
Wistia video thumbnail - Barkly-vs-Locky-Lukitus
 

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?

Cancel
message
 
 
 
 
 
 
 

 

How the Locky Diablo6 variant is being delivered

Attackers have returned to distributing Locky via a rather basic spam campaign with simple subject lines that include either document names (ex: E 2017-08-09 (015).docx) or suggestions that an invoice is attached. 

Locky_Diablo6_spam-emails.png

Spam emails distributing the new Diablo6 variant of Locky ransomware. Source: Fortinet

 

Disguising spam emails as invoice notices continues to be an extremely successful and popular tactic for distributing malware. According to Symantec's 2017 ISTR, one in every four major malware spam campaigns took this approach in 2016.  

Researchers have spotted both ZIP file and Word doc attachments in this latest Locky campaign. Once opened, these attachments contain a Visual Basic Script (VBS) file that calls out to a URL hosting the actual Locky payload, then downloads it to the %Temp% folder and executes it.

How the Locky Lukitus variant is being delivered

Attackers appear to be utilizing a grab bag of methods for distributing the Lukitus variant of Locky.

Delivery method #1: Standard spam emails

The emails in the massive Lukitus campaign appear to be extremely basic and vague. According to AppRiver, subject lines include the following:

  • please print
  • documents
  • photo
  • images
  • scans
  • pictures

Messages are equally bare-bones, simply stating short instuctions such as, "Download it here." 

locky-lukitius-email.jpg

Spam emails distributing the new Lukitus variant of Locky ransomware. Source: AppRiver

Messages in this campaign are carrying ZIP file attachments that contain a Visual Basic Script (VBS) file nested inside another ZIP file. Once the ZIP file is opened, the extraction process triggers the VBScript to download the Locky payload. 
 

Delivery method #2: Fake Dropbox emails

In addition to these standard spam emails, researcher Brad Duncan has also reported Locky campaigns disguised as email notices from Dropbox

locky-fake-dropbox-email.jpg

Attackers behind Locky are also spreading the ransomware via fake Dropbox emails. Source: SANS ISC

All in all, these emails are fairly legitimate looking. The sender appears as "no-reply@dropbox.com" and the subject reads, "Please verify your email address." They even include a Dropbox logo. 

By hovering over the "Verify your email" button, however, you can see that the links in these emails are going to various domains with "/dropbox.html" added to the end. Ex: http://avtokhim.ru/dropbox.html. 

When victims click on the button they're presented with fake Dropbox error messages that inform them "We were unable to verify your Dropbox account," and instruct them to "Please click here to download a new verification message."

locky-dropbox-landing-page.jpg

Fake Dropbox landing pages tee up the next phase of the attack. Source: SANS ISC

What happens next after clicking that link appears to depend on the browser being used. Duncan found that nothing happened when he tried it in IE or Edge. 

Using Chrome or Firefox, however, clicking on the link triggers a pop-up message that explains the "HoeflerText" font was not found. In order to display the page correctly, the soon-to-be-victim needs to update their browser. Clicking "Update" downloads a JavaScript file designed to download and launch the Locky ransomware payload.

locky-missing-hoefler-font.jpg

The "HoeflerText font was not found" pop-up displayed for Chrome users. Source: SANS ISC

If this all sounds familiar that's because the "HoeflerText font was not found" pop-up is a trick various attackers have been using since February, when it was used in a Spora ransomware campaign.  

If this all also sounds needlessly convoluted that's because it is. Mimicking the Dropbox alert is one thing, but adding the HoeflerText font pop-up is an odd choice that seems like overkill. The overall impression of this attack is that it's a hodge-podge of somewhat clever tricks that have been used before.

Luckily, the end result is an attack that offers users several "outs" as long as they've been trained to be skeptical and exercise basic caution. 

Infection and encryption 

Once executed, Locky scans the victim computer for files, encrypts them, and changes the file name to a long string of numbers with the extention .diablo6 or .lukitus (depending on the variant). 

locky-diablo6-encrypted-files.jpg Files encrypted by the Diablo6 variant of Locky. Source: Bleeping Computer

 

Unfortunately, once files are encrypted, there is no free way of decrypting them. That means to avoid downtime, data loss, and disruption, it's crucial to block Locky at the very outset of an infection, before it can encrypt any files.  

Once Locky is finished encrypting the machine's files it deletes the executable, drops two copies of the ransom screen (one .htm file and one .bmp file), and replaces the user's desktop with the ransom screen, as well. 

Locky_Diablo6_ransom_screen-1.png

Locky Diablo6 ransom screen.

The ransom for the Diablo6 variant is currently set at .49 Bitcoin, roughly $2,104.

locky-diablo6-tor-payment-site.jpg

The Locky Diablo6 TOR payment site. Source: Bleeping Computer

Blocking this and future Locky variants

It's still too early to tell whether this latest Locky campaign is simply an isolated burst or a sign of more campaigns to come. But considering Locky's previous track record, companies need to be prepared for the latter.

While the majority of security solutions will react to new Locky variants by scrambling to update their protection as they're being discovered (and after the initial wave of infections are successful), Barkly will block them automatically, without any updates necessary. 

That's because Barkly blocks malware based on behavior analysis as well as attribute analysis. So even though new variants like Diablo6 may look different from previous Locky variants, because they ultimately behave maliciously our protection still picks them up and shuts them down. Learn more about how Barkly's protection works and how it can protect your company here.

 

SHA256 hashes: 

Diablo6 variant: 390ed1dde4ff03adfcf67c59ee02567ac5665bb5e029eaebf0332bc81e4d1891

Lukitus variant: 37704133663a5b0b1a0766ab7a35d7dd3e0aba5ddb4023245f3bcabe5a0961c8
Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

blocks.svg

The Ransomware Survival Handbook

Learn how to recover quickly and effectively (and not get hit again)

Get my handbook

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.