{"id":8770,"date":"2017-08-16T11:10:12","date_gmt":"2017-08-16T19:10:12","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/08\/16\/news-2543\/"},"modified":"2017-08-16T11:10:12","modified_gmt":"2017-08-16T19:10:12","slug":"news-2543","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/08\/16\/news-2543\/","title":{"rendered":"Locky ransomware returns to the game with two new flavors"},"content":{"rendered":"

Credit to Author: Marcelo Rivero| Date: Wed, 16 Aug 2017 17:57:10 +0000<\/strong><\/p>\n

We recently observed a fresh malicious spam campaign pushed through the Necurs botnet distributing so far, two new variants of Locky ransomware.<\/strong><\/p>\n

In our last Q2 2017 report on tactics and techniques<\/a>, we mentioned that Locky ransomware had reappeared with a new extension, but went dark again for months.<\/p>\n

\"\"<\/p>\n

From August 9th, Locky made another reappearance using a new file extension “.diablo6<\/strong><\/span>” to encrypt files with the rescue note: “diablo6-[random].htm<\/strong><\/span>“.<\/p>\n

Today a new Locky malspam campaign is pushing a new Locky variant that adds the extension “.Lukitus<\/strong><\/span>” and the rescue note: “lukitus.html<\/strong><\/span>“.<\/p>\n

\"\"<\/p>\n

Locky, like numerous other ransomware variants, is usually distributed with the help of spam emails containing a malicious Microsoft Office file or a ZIP attachment containing a malicious script.<\/p>\n

\"\"<\/p>\n

Locky variants, callback to a different command and control server (C2) and use the affiliate id: AffilID3 and AffilID5.<\/p>\n

\"\"<\/p>\n

Over the last few months, Locky has drastically decreased its distribution, even failed to be distributed at all, then popped back up again, vanished and reappeared once more.<\/p>\n

The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should never assume Locky is gone simply because it’s not active at a particular given time.<\/p>\n

Locky extension history<\/strong><\/h3>\n

\"\"<\/strong><\/h3>\n

Active Campaigns:<\/strong><\/h4>\n