Reports have been pouring in this month about the sudden return of Locky ransomware, which had been largely crtfdormant in 2017. In short order, researchers have discovered two new major versions of Locky being distributed via voluminous malspam campaigns.
The first variant to emerge is a version called Diablo6, named after the .diablo6 file extension that it appends to encrypted files. BleepingComputer has credited its discovery to researcher "Racco42," who tweeted about his findings back on 9 August, when the attacks reportedly began in earnest.
A newer variant with similar behavior appeared on 16 August, capturing the attention of Malwarebytes analysts, as well as researcher Rommel Joven, who were both early to report on their findings. This version appends the extension ".Lukitus" to affected files.
Many of the spam emails have subject lines featuring simply a date and random number, with a minimalist message body that states: "Files attached. Thanks". However, Fortinet researchers found a more content-rich email sample with a subject line referencing a business document from a company, with a message claiming the attachment is an invoice for purchased goods.
Fortinet statistics show that most of the Diablo6 spam has been distributed to the US (37 percent) and Austria (36 percent), followed by Great Britain, Denmark and India, the company reported in a 14 August blog post.
Comodo Group said in a separate report that from 9-11 August it detected more than 62,000 Diablo6 phishing emails on endpoints that it monitors. (Comodo, however, refers to the threat as IKARUSdilapidated.) The company also found that the attackers are leveraging more than 11,600 different IP addresses, from 133 countries, to execute the campaign. Many of these IP addresses originate from telecom companies and ISPS whose infrastructures have clearly been hijacked; for this reason, Comodo is also classifying this threat as a botnet as well.
Locky debuted in 2016, but faded from the scene somewhat this year as attackers moved on to other ransomware families. Occasionally, however, Locky would rear its ugly head again, including during a large Necurs-fueled campaign this past April.
The Diablo6 spam sample that Racco42 found has an attached a zip file containing a VBS downloader script, which includes a URL from which the Locky ransomware executable is downloaded and subsequently executed. Malwarebytes spotted this too on Aug. 9, but then observed in the following days campaigns using PDFs embedded with malicious .DOCM files and RAR and ZIP files embedded with .JS malware.
Fortinet also reported in its blog post that it found two unique hashes of Diablo6, which means "newly created samples are being pushed, possibly with different configurations, or simply as an attempt to evade specific file signatures."
Diablo6's ransomwares note asks for .49 bitcoins or roughly £1,600, BleepingComputer reported. If a machine is infected with either the Diablo6 or Lukitus version of Locky, its files cannot be successfully decrypted.
"It's still too early to say if this campaign signals the start of Locky diving back into the ransomware race or if it is just testing the waters," the Fortinet blog post stated. "We'll probably see in the next few weeks or months, or maybe never."