After seeing a drop during first weeks of June, the spam campaigns distributing Locky crypto-ransomware has returned as aggressive as ever. Normally we have seen around 4000-10,000 spam hits a day during spam campaigns.
Last week from Wednesday to Friday we observed a notable increase in amount of spam distributing Locky. At most we saw 30,000 hits per hour, increasing the daily total to 120,000 hits.
Yesterday, Tuesday, we saw two new campaigns with a totally different magnitude: more than 120,000 spam hits per hour. In other words, over 200 times more than on normal days, and 4 times more than on last week’s campaigns.
The two campaigns were distributed simultaneously, and they initially spiked yesterday afternoon at 2pm (here in Helsinki), and a second time around midnight.
The spam subject in one campaign is seemingly empty, “Fw:”, with a zip file attachment named: xls_convert_recipientname_randomnumber.zip. The body of the message indicates that the attachment contains requested invoices in Excel file format. With these social engineering techniques the attacker tries to lure the user to open the attached file. Instead, the attached zip file contains a JScript file, downloading and executing the Locky ransomware.
The other campaign was sent with subject “Profile” containing a similar zip file attachment. The name of the attached file is: recipientname_profile_randomnumber.zip.
We block these samples with following detections: