Reports are coming in from multiple security researchers and security firms about increased activity from one of the groups spreading the Locky ransomware.

These spam waves have started on September 18 and are pushing the new Locky ransomware variant that encrypts files with the .ykcol extension, which was also released on the same day.

Six big spam waves detected

Six big spam waves pushing the Locky ykcol version were seen in the past few days. Locky versions distributed by these spam waves have embedded the #3 affiliate ID, belonging to the same group that was also busy pushing Locky spam at the start of the month.

These Locky spam waves have been seen by Fortinet (authors of the graph breakdown below), Barkly, Barracuda, Brad Duncan, and My Online Security [1, 2, 3].

Recent Locky spam waves

The spam waves had an immediate impact on submissions from infected users on ID-Ransomware, a service that lets users identify the type of ransomware that infected their PC.

The graph below, provided by security researcher MalwareHunter, shows a spike in Locky detections on September 18, when the new Locky ykcol version was first detected, and the spam waves from affiliate group #3 began.

Recent Locky detections on IDR

Locky ransom demand doubled

Another security researcher also noted that recent versions of Locky ykcol returned to asking victims to pay a ransom demand of 0.5 Bitcoin (~$1,800) after initial versions spotted on September 18 asked for 0.25 Bitcoin (~$900).

Fortinet researchers also made a clever observation, noticing that spam wave #2 used the email subject line of "Message from km_c224e," the same one used in the past to deliver the Jaff ransomware and the Dridex banking trojan.

Bleeping Computer understands that at the time of writing, the increased spam activity from Locky affiliate ID #3 is still ongoing. There is no known method of breaking Locky encryption, so users are advised to be careful when downloading and running attachments, or clicking on links in emails from unknown senders.

As for the efficiency of this campaign, MalwareHunter says infection numbers are actually down, compared to the start of the year.

Related Articles:

How to Decrypt HiddenTear Ransomware with HT Brute Forcer

The Week in Ransomware - December 14th 2018 - Slow Week Spam Service Claims It Can Print Anywhere

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More