Locky ransomware returns in two new variants

Locky, once one of the most widely distributed forms of ransomware, has returned, warns Malwarebytes

The Locky ransomware has returned in the form of two new strains, security researchers at Malwarebytes have warned.

Locky was one of the three most widely distributed forms of malware in 2016, along with Cryptowall and Cerber. But although ransomware has boomed during 2017, Locky has been largely quiet.

But on the 9 August, Locky made a dramatic return, using a new ransom note and file extension, ‘.diablo6', which it followed up a week later with another variant, with the extension ‘.Lukitus'.

What hasn't changed, though, is the method of distribution.

Rather than rifling through the trove of spilt US National Security Agency exploits, as the groups behind WannaCry and NotPetya did, Locky is distributed via phishing emails containing malicious Microsoft Office files or zipped attachments containing a malicious script.

The new Locky variants, adds Malwarebytes, callback to a different command and control servers (C2) and use the affiliate id: AffilID3 and AffilID5.

"Over the last few months, Locky has drastically decreased its distribution, even failed to be distributed at all, then popped back up again, vanished and reappeared once more. The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should never assume Locky is gone simply because it's not active at a particular given time," the company warned in a briefing note.

In 2016, a US hospital was forced to pay $17,000 in bitcoin in order to recover devices that had fallen victim to the Locky ransomware.

Locky is a variant on the Dridex banking Trojan, which is believed to have been behind the theft of around £20m from bank accounts in the UK alone, refitted for ransomware rather than stealing online banking credentials. Both are associated with the Necurs malware distribution botnet.

Back then, security researchers at Proofpoint pointed out the connection between Dridex and Locky.

"While a variety of new ransomware has appeared since the end of 2015, Locky stands out because it is being delivered by the same actor behind many of the Dridex campaigns we have tracked over the past year," warned the company in an advisory.

It continued: "The actors behind Locky are clearly taking a cue from the Dridex playbook in terms of distribution. Just as Dridex has been pushing the limits of campaign sizes, now we're seeing even higher volumes with Locky, rivalling the largest Dridex campaigns we have observed to date."