Locky ransomware is back from the dead again - with new 'Diablo' variant

starbuck

Malware Removal Specialist - Administrator
In Memory
Joined
Jul 16, 2014
Messages
1,147
Location
Midlands, England
One of the most successful families of file-encrypting malware is back -- again -- with a new spam campaign.

cfefb5e402aa52de5d3df1e3e0dadb09.jpg


One of the most successful families of ransomware has returned once again, with a new email spam campaign designed to infect victims with the file-encrypting malware.

Locky was one of the first major forms of ransomware to become globally successful and at one point was one of the most common forms of malware in its own right.

However, attacks distributing Locky have declined this year, and while it was once the king of ransomware, its title has been usurped -- Cerber now dominates the market.

But that doesn't mean Locky no longer poses a threat.
After going dark for a few months -- even to the point where it wasn't being distributed at all -- the ransomware is once again being spread through the Necurs botnet.

But this time it's being distributed with a new file extension called Diablo6, according to Malwarebytes researchers who've observed the new campaign.
The new Diablo variant calls back to a different command and control server than previous Locky campaigns.

Like other ransomware families, Locky is distributed via the use of spam emails; this particular campaign sends them in the form of PDF attachments with embedded .DOCM files.

If the user downloads the attachment and enables macros as the payload requests, they'll soon find that they've lost access to the files on their computer and are told that they need to pay a ransom in order to get the "private key" from the "secret server" of the attackers.

While Locky is far less prevalent than it has been, it remains a risk to organisations because of its strong cryptography and the fact that those behind it still update and alter the payload and the tactics used to deliver it.

"The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should never assume Locky is gone simply because it's not active at a particular given time," said ‎Marcelo Rivero, intelligence analyst at Malwarebytes.

It isn't the first time Locky has reappeared after seemingly disappearing.
It appeared to cease activity over Christmas 2016, leading researchers to speculate that its developers had taken a break over the holiday season.
Sure enough, it re-emerged in January and infections have been spiking and dropping ever since.

The sudden reappearance of Locky could potentially be attributed to decryption tools for Jaff ransomware being made available for free in June.
Jaff appeared in May and was spread by the same Necurs botnet used to distribute Locky.

Cybercriminals deploy ransomware because it allows them to reap high rewards using little effort.
Therefore, it could be the case that once Jaff -- which demanded a ransom of $4,000 and used a decryptor almost identical to that of Locky -- was cracked by security professionals, the criminals behind it have simply gone back to using Locky.

While those behind Locky have yet to be identified, researchers have noted that the ransomware will delete itself from the infected machine if the local language is Russian, possibly pointing towards the geographic location of the developers.


Source:
http://www.zdnet.com/article/locky-...gain-with-new-diablo-variant/#ftag=RSSbaffb68
 
Back
Top