Security researchers at Malwarebytes have warned about two new variants of Locky, a form of ransomware based on the Dridex banking Trojan, which had been particularly vigorously distributed throughout 2016.
Indeed, Locky had been one of the three most widely distributed forms of ransomware in 2016, along with Cryptowall and Cerber. But although ransomware has boomed during 2017, particularly with the WannaCry outbreak in May Locky has been quiet since February.
But on the 9 August, Locky made a dramatic return, using a new ransom note and file extension, ‘.diablo6', which it followed up a week later with another variant, with the extension ‘.Lukitus'.
What hasn't changed, though, is the method of distribution.
Rather than rifling through the trove of spilt US National Security Agency exploits, as the groups behind WannaCry and NotPetya did, 'new' Locky is distributed via phishing emails containing malicious Microsoft Office files or zipped attachments containing a malicious script.
The new Locky variants, adds Malwarebytes, call back to different command and control servers (C2) and use the affiliate id: AffilID3 and AffilID5.
"Over the last few months, Locky has drastically decreased its distribution, even failed to be distributed at all, then popped back up again, vanished and reappeared once more.
"The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should never assume Locky is gone simply because it's not active at a particular given time," the company warned in a briefing note.
In 2016, a US hospital was forced to pay $17,000 in bitcoin in order to recover devices that had fallen victim to the Locky ransomware.
Locky is a variant on the Dridex banking Trojan, which is believed to have been behind the theft of around £20m from bank accounts in the UK alone.
In 2015, it was refitted for ransomware rather than stealing online banking credentials. Both Locky and Dridex are associated with the Necurs malware distribution botnet, a link that Proofpoint pointed out at the time.
"While a variety of new ransomware has appeared since the end of 2015, Locky stands out because it is being delivered by the same actor behind many of the Dridex campaigns we have tracked over the past year," warned the company in an advisory.
It continued: "The actors behind Locky are clearly taking a cue from the Dridex playbook in terms of distribution. Just as Dridex has been pushing the limits of campaign sizes, now we're seeing even higher volumes with Locky, rivalling the largest Dridex campaigns we have observed to date."
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal