Security Alert
Jonathan Crowe
Sep 2017

New Locky Ransomware Campaigns Blast 27 Million Emails in 24 Hours

Photo by Source

Researchers have spotted at least six different email types spreading a new variant of Locky, including fake invoice updates, voice mail notifications, Amazon Marketplace messages, and more.

Key Details

  • Massive new spam email campaigns being launched: Researchers at Barracuda have identified 27 million emails spreading Locky ransomware over a span of 24 hours.
  • Campaigns are morphing quickly: Attackers are rapidly iterating, swapping out emails with different subject lines, hooks, and attachment types.
  • Campaigns are spreading new Ykcol variant of Locky:

    The sudden influx of new Ykcol (Locky spelled backwards) samples is forcing AV vendors to update their protection. Many are having trouble keeping up.

  • It's impossible to recover data, even by paying:

    Barracuda researchers have noted some of the campaigns are assigning every victim the same identification number, meaning the attackers won't be able to tell them apart, making decryption impossible.

  • Barkly blocks these Locky variants: Even if an employee gets fooled by one of these emails and triggers the ransomware, Barkly blocks it before any damage is done.
  • empty
  • empty
  • empty

Barkly blocks new Locky variants like this one automatically, no update required.
Find out how

An aggressive ransomware threat

On Tuesday, September 19th, researchers at Barracuda Networks reported they had detected a massive wave of spam emails distributing the new .ykcol variant of Locky ransomware. At the time of their latest update, the "aggressive ransomware threat" had grown to 27 million emails in a period of 24 hours, with no signs of slowing down.

The good news is Barkly blocks these new Locky samples, with no updates necessary. That's because while making superficial changes to malware samples is enough to bypass traditional AV, Barkly sees that all of these samples behave in the same fundamental way. 

By combining machine-learning-powered file attribute analysis with behavioral analysis, Barkly is able to block even never-seen-before ransowmare variants before they can do any damage. 

Watch Barkly block one of these new .ykcol Locky variant attacks:

Wistia video thumbnail - Barkly-vs-Locky-Ykcol

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?


What the emails look like

Wave 1: Tuesday, 9/19 — emails with .7z attachments

According to Barracuda, these attacks appear to be "automatically generated using a template that randomizes parts of the files. The names of payload files and the domains used for downloading secondary payloads have been changing in order to stay ahead anti-virus engines."

The wave actually appears to be a series of campaigns. In addition to changing the payload file names and the domains, the attackers are also swapping out subject lines, messages, and even attachment types. Researchers at Barracuda have identified three separate email types so far, the first being disguised as an order confirmation from the company Herbalife Nutrition. 

Email #1: Herbalife order confirmation


Phishing email distributing the Ykcol variant of Locky ransomware via .7z attachment. Source: Barracuda Networks

Email #2: Copier message — download sites & hashes posted to Pastebin by researcher Racco42

A second campaign is spreading emails that look like they're imitating an email from the target organization's printer or copier. The subject line is "Message from KM_C224e" and the email has no message, only an attachment. 


Second phishing email distributing Locky via .7z attachment. Source: Barracuda Networks


Email #3: Message from recipient's own domain — download sites & hashes posted to Pastebin by researcher Racco42

The third email type spotted by Barracuda appears to be pairing random sender names with the recipient's domain in order to make it look like the message is coming from someone within the recipient's own company. The subject line is a bare-bones, "Emailing — [attachment number]" and the message is blank. 


Third phishing email distributing Locky via .7z attachment. Source: Barracuda Networks

What ties all of these emails together is their use of .7z attachments (7-zip is a type of compressed file). As others have pointed out, the use of 7zip is odd considering many recipients may not have the software to open them. It was likely chosen as a way to bypass filters.

The attackers have embedded a .vbs file inside the 7zip attachment. When a user opens the attachment, the script downloads and launches the ransomware payload. 

Wave 2: Wednesday, 9/20 — emails with .rar attachments

The next wave of spam emails switched to better-written messages disguised as invoice status updates and replaced the .7z attachment with a .rar attachment. 

Email #4: Status of invoice message — download sites & hashes posted to Pastebin by researcher Racco42


Phishing email distributing Locky via .rar attachment. Source: My Online Security 

The message reads:

Could you please let me know the status of the attached invoice? I appreciate your help!

Best regards,

[name and contact info]

As with the .7z attachments, the .rar attachment also has a .vbs file inside, which downloads and executes the ransomware payload automatically once the attachment is opened.

Wave 3: Wednesday, 9/20 and Thursday, 9/21 — back to emails with .7z attachments

Security researcher Racco42 has continued to monitor Locky activity and has spotted two additional email campaigns packaged in different ways and switching back to attaching .7z files. 

Email #5: New voice message notification — download sites & hashes posted to Pastebin by researcher Racco42

Fake voicemail notifications are an old favorite for attackers. The example below shows recipients can be infected either by opening the attachment or by clicking the included link. These emails have also been disguised to look as though they are coming from the recipient's domain.


Voicemail phishing email distributing Locky ransomware. Source: Trend Micro

From: "Voicemail Service" <vmservice@[REDACTED]>
To: "ah@[REDACTED]>
Subject: New voice message 15256614735 in mailbox 152566147351 from "15256614735" <6692705038>
Date: Wed, 20 Sep 2017 13:29:17 -0500

Dear user:

just wanted to let you know you were just left a 0:11 long message (number 15201136730) in mailbox 152011367301 from "15201136730" <8822315162>, on Wed, 20 Sep 2017 19:34:51 +0300
so you might want to <a href=">check</a> it when you get a chance.

--Voicemail Service

Attachment: msg0434.7z


Email #6: Amazon Marketplace invoice — download sites & hashes posted to Pastebin by researcher Racco42

Another campaign has been discovered distributing emails designed to look like messages from Amazon Marketplace. Subject lines are "Invoice" followed by "RE-[today's date]-[5-digit number" which is also the name of the attachment.

To make the emails appear more official, the attackers have included footer text with details and disclaimers from Amazon.

The absence of the Amazon logo and the use of a .7z file attachment should give many users pause, but otherwise this message is fairly convincing and certainly poses a threat.


Amazon Marketplace phishing email distributing Locky ransomware. Source: My Online Security

From: Amazon Marketplace <
Subject: Invoice RE-2017-09-21-00168
Date: Thu, 21 Sep 107 12:16:52 +0430

------------- Begin message -------------

Dear customer:

We want to use this opportunity to first say "Thank you very much for your purchase!"
Attached to this email you will find your invoice.

Kindest of regards,
your Amazon Marketplace

------------- End message -------------

For Your Information: To help arbitrate disputes and preserve trust and safety, we retain all messages buyers and sellers send through This includes your response to the message below. For your protection we recommend that you only communicate with buyers and sellers using this method. Important:'s A-to-z Guarantee only covers third-party purchases paid for through our Amazon Payments system via our Shopping Cart or 1-Click. Our Guarantee does not cover any payments that occur off including wire transfers, money orders, cash, check, or off-site credit card transactions. We want you to buy with confidence whenever you purchase products on Learn more about Safe Online Shopping ( and our safe buying guarantee ( Attachment: RE-2017-09-21-00168.7z

About the Ykcol Locky variant


The new Ykcol variant was first discovered by security researcher Derek Knight on Monday, September 18, and as these updates demonstrate, it's been incredibly active. 

Functionally, it operates the same way as previous Locky variants. Once it is downloaded and executed on a computer it scans the device for files, encrypts them, and changes the file name to an identification number followed by the .ykcol extension. 

Unfortunately, at this time no decryption tool exists for this or any other Locky variant. 

Victims are not encouraged to pay the ransom

Researchers at Barracuda have indicated that at least a portion of these campaigns contain flaws that assign the same identification number to every victim, making it impossible for attackers to tell them apart. What that means is victims will not be able to recover their files even if they decide to pay. 

Protecting your company vs. these new Locky attacks

After a lull of activity the first half of the year, Locky campaigns have stormed back in a big way, with numerous global spam campaigns each delivering millions of emails.

Sharing these email examples with users can help them know what to look out for, but the truth is new and different email campaigns are arriving at such a rapid pace that as soon as you alert them to any one specific attack, another one is likely already on the way. 

Blocking .7z and .rar file extensions at the perimeter can be a good momentary measure, but even that only buys you a little time before attackers move on to new attachment types once again. 

A more sustainable approach to protecting your company against these attacks is to step back, identify the common techniques they're all relying on to be successful, and shape your security approaches and awareness around them. 

  • Training users to recognize the common patterns of phishing attacks can help you create a "human firewall."
  • Investing in endpoint security that recognizes and blocks common ransomware behaviors (instead of just specific ransomware file signatures) helps you give those users a safety net, so you're still protected if and when they make a mistake.

Find out how Barkly can provide you with the strongest endpoint protection with the fewest false positives and the simplest management. See for yourself.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


The Ransomware Survival Handbook

Learn how to recover quickly and effectively (and not get hit again)

Get my handbook


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.