Reports have been pouring in this month about the sudden return of Locky ransomware, which had been largely dormant in 2017. In short order, researchers have discovered two new major versions of Locky being distributed via voluminous malspam campaigns.
The first variant to emerge is a version called Diablo6, named after the .diablo6 file extension that it appends to encrypted files. BleepingComputer has credited its discovery to researcher "Racco42," who tweeted about his findings back on Aug. 9, when the attacks reportedly began in earnest.
A newer variant with similar behavior appeared on Aug. 16, capturing the attention of Malwarebytes analysts, as well as researcher Rommel Joven, who were both early to report on their findings. This version appends the extension ".Lukitus" to affected files.
Many of the spam emails have subject lines featuring simply a date and random number, with a minimalist message body that states: "Files attached. Thanks". However, Fortinet researchers found a more content-rich email sample with a subject line referencing a business document from a company, with a message claiming the attachment is an invoice for purchased goods.
Fortinet statistics show that most of the Diablo6 spam has been distributed to the U.S. (37 percent) and Austria (36 percent), followed by Great Britain, Denmark and India, the company reported in an Aug. 14 blog post.
Comodo Group said in a separate report that from Aug. 9-11 it detected more than 62,000 Diablo6 phishing emails on endpoints that it monitors. (Comodo, however, refers to the threat as IKARUSdilapidated.) The company also found that the attackers are leveraging more than 11,600 different IP addresses from 133 countries to execute the campaign. The team checking the IP range owners noticed that most are telecom companies and ISPs. For this reason, Comodo is also classifying this threat as a botnet as well.
Indeed, according to a Malwarebytes blog post, both the Diablo6 and Lukitus versions are being pushed via the Necurs botnet.
Locky debuted in 2016, but faded from the scene somewhat this year as attackers moved on to other ransomware families. Occasionally, however, Locky would rear its ugly head again, including during a large Necurs-fueled campaign this past April.
The Diablo6 spam sample that Racco42 found has an attached a zip file containing a VBS downloader script, which includes a URL from which the Locky ransomware executable is downloaded and subsequently executed. Malwarebytes spotted this too on Aug. 9, but then observed in the following days campaigns using PDFs embedded with malicious .DOCM files and RAR and ZIP files embedded with .JS malware.
Fortinet also reported in its blog post that it found two unique hashes of Diablo6, which means "newly created samples are being pushed, possibly with different configurations, or simply as an attempt to evade specific file signatures."
Diablo6's ransomwares note asks for .49 bitcoins or roughly $1,600, BleepingComputer reported. If a machine is infected with either the Diablo6 or Lukitus version of Locky, its files cannot be successfully decrypted.
"It's still too early to say if this campaign signals the start of Locky diving back into the ransomware race or if it is just testing the waters," the Fortinet blog post stated. "We'll probably see in the next few weeks or months, or maybe never."