Reports are coming in from multiple security researchers and security firms about increased activity from one of the groups spreading the Locky ransomware.
These spam waves have started on September 18 and are pushing the new Locky ransomware variant that encrypts files with the .ykcol extension, which was also released on the same day.
Six big spam waves detected
Six big spam waves pushing the Locky ykcol version were seen in the past few days. Locky versions distributed by these spam waves have embedded the #3 affiliate ID, belonging to the same group that was also busy pushing Locky spam at the start of the month.
These Locky spam waves have been seen by Fortinet (authors of the graph breakdown below), Barkly, Barracuda, Brad Duncan, and My Online Security [1, 2, 3].
The spam waves had an immediate impact on submissions from infected users on ID-Ransomware, a service that lets users identify the type of ransomware that infected their PC.
The graph below, provided by security researcher MalwareHunter, shows a spike in Locky detections on September 18, when the new Locky ykcol version was first detected, and the spam waves from affiliate group #3 began.
Locky ransom demand doubled
Security researcher Derrick Farmer also noted that recent versions of Locky ykcol returned to asking victims to pay a ransom demand of 0.5 Bitcoin (~$1,800) after initial versions spotted on September 18 asked for 0.25 Bitcoin (~$900).
#Locky ykcol variant affilID 3 back to .5 BTC ransom. Guess .25 wasn't paying the bills @malwrhunterteam @James_inthe_box @MarceloRivero pic.twitter.com/qUVop11kXO
— Derrick (@Ring0x0) September 21, 2017
Fortinet researchers also made a clever observation, noticing that spam wave #2 used the email subject line of "Message from km_c224e," the same one used in the past to deliver the Jaff ransomware and the Dridex banking trojan.
Bleeping Computer understands that at the time of writing, the increased spam activity from Locky affiliate ID #3 is still ongoing. There is no known method of breaking Locky encryption, so users are advised to be careful when downloading and running attachments, or clicking on links in emails from unknown senders.
As for the efficiency of this campaign, MalwareHunter says infection numbers are actually down, compared to the start of the year.
Here is a graph from past year's September 1st until now.
— MalwareHunterTeam (@malwrhunterteam) September 22, 2017
Of course, this month still has 8 days left, but that won't change a lot... pic.twitter.com/4QY7CJoN2V
Comments
Occasional - 6 months ago
Thanks CC for the detailed article.
From other reports, this spam wave makes use of spoofed email "From" entries, to make it look like it's coming from inside the organization (I've even gotten emails "from" myself). So, the advice to avoid "...clicking on links in emails from unknown senders." needs a caveat not to trust what you see in the "From" entry.
Sadi90 - 6 months ago
Great article Catalin thank you for the information, I work in a large scale organisation where we handle a lot of customer data. Ransomeware is something we really need to be secure against. would anyone have any advice on a good ransomeware protection solution for large organisations? I've heard of <a href="http://www.ivanti.co.uk">Ivanti</a> and know people within the business that have used their solutions and are happy with it, is there any recommendations?
Sadi90 - 6 months ago
Great article Catalin thank you for the information, I work in a large scale organisation where we handle a lot of customer data. Ransomeware is something we really need to be secure against. would anyone have any advice on a good ransomeware protection solution for large organisations? I've heard of www.ivanti.co.uk and know people within the business that have used their solutions and are happy with it, is there any recommendations?