A New High For Locky

After seeing a drop during first weeks of June, the spam campaigns distributing Locky crypto-ransomware has returned as aggressive as ever. Normally we have seen around 4000-10,000 spam hits a day during spam campaigns.

Last week from Wednesday to Friday we observed a notable increase in amount of spam distributing Locky. At most we saw 30,000 hits per hour, increasing the daily total to 120,000 hits.

Yesterday, Tuesday, we saw two new campaigns with a totally different magnitude: more than 120,000 spam hits per hour. In other words, over 200 times more than on normal days, and 4 times more than on last week’s campaigns.

Import stats July 5-14 linegraph

The two campaigns were distributed simultaneously, and they initially spiked yesterday afternoon at 2pm (here in Helsinki), and a second time around midnight.

The spam subject in one campaign is seemingly empty, “Fw:”, with a zip file attachment named: xls_convert_recipientname_randomnumber.zip. The body of the message indicates that the attachment contains requested invoices in Excel file format. With these social engineering techniques the attacker tries to lure the user to open the attached file. Instead, the attached zip file contains a JScript file, downloading and executing the Locky ransomware.

spam_fw_20160712

The other campaign was sent with subject “Profile” containing a similar zip file attachment. The name of the attached file is: recipientname_profile_randomnumber.zip.

spam_profile_20160712

We block these samples with following detections:

  • Trojan-Downloader:JS/Kavala.S
  • Trojan-Downloader:JS/Locky.T
  • Trojan:W32/Locky.X!DeepGuard

SHA1s:

0117ad48e414813709940af1514db5944c4da5eb
8aada8b162b47f27e332c4ccc9a9b5e36594d034
01c99e8ca77851295b840e01ae3ff6ae7faa8d46
08788c185f8af2c4bce08af948daeb09c0d340d9
4d1c0884d9f63e9f361b77b5e6cb4e907e901480



Articles with similar Tags