CYBER SECURITY EVANGELIST

After infecting computers with recurring malicious email campaigns sent to random recipients in organizations from all over the world, Locky ransomware strikes again.

Locky’s persistence is already famous, as cyber criminals use it frequently to exploit vulnerabilities in outdated systems. The most recent campaign, which started late last night, uses a new extension called .lukitus and has been discovered by Rommel Joven. As expected, Internet users can get their files back, after paying a ransom required by attackers.

The malicious email arrives into users’ inboxes with the following subject lines:

< No Subject > or Emailing – CSI- [0-9] * _ MB_S_ [A-z0-9]

The email also includes zip or rar attachments with JS files. When these files are executed, they will download the payload from various malicious URLs, like the ones in the selection below (sanitized for your online safety):

http: // angel demon [.] com / jbYUF6D

http: // Antibody Services [.] net / jbYUF6D

http: // ttytreffdrorseder [.] net / of / jbYUF6D

http: // asliozturk [.] com / jbYUF6D

http: // antwerpiastamps [.] BE / jbYUF6D

This is another variation of the same attack, spotted yesterday as well:

Source: Bleeping Computer

To ensure that Locky can communicate with its underlying C&C servers unhindered, a DGA (Domain Generation Algorithm) is also used, which provides the following domains and many, many more (sanitized for your online safety):

http: // sorqjivpyfrwlo [.] Click / imageload.cgi

http: // dxeqiniexovy [.] org / imageload.cgi

http: // kokalgfsnepogq [.] ru / imageload.cgi

http: // kljidoejmiqx [.] org / imageload.cgi

http: // jcanepkjyu [.] biz / imageload.cgi

Once the files are downloaded and executed, they start scanning the user’s computer and encrypting system files, modifying their names with the following format:

[first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].lukitus.

After the encryption is done, Locky removes the downloaded executable, and shows a ransom note – having these names: lukitus.htm and lukitus.bmp  on users’ display on how they can pay it and get their files back.

This is how a message with the Locky Lukitus Ransom Note appears on an infected computer display:

ransom note message

Source: Bleeping Computer

Although there are a sum of decryption tools out there to unlock your data for free, this Locky Ransomware Lokitus variant remains still unbreakable with no possibility to decrypt .lukitus files for free.

Initially, VirusTotal showed that 7 of 53 antivirus solutions were detecting this malicious file at the time it was posted. After a new and recent analysis, more engines (20 of 53 antivirus products) also identify this threat.

Source: VirusTotal

UPDATE: A new malicious campaign was spotted today

The new wave of Locky ransomware has been extremely aggressive, being part of no less than 9 successive spam email campaigns this week.

The files sent in today’s spam campaign look like the screenshot attached and once opened, embedded Visual Basic Script file is enabled.

After that, the Nemucod downloader – which speeds up Locky ransomware distribution –  connects to multiple domains from which it fetches the ransomware (sanitized for your online protection). Here’s just a few of them:

http: // opvoedcoach [.] nl / yb8w7fg?

http: // cars2mobile [.] com / yb8w7fg?

http: // spacerek [.] pl / yb8w7fg?

http: // ttytreffdrorseder [.] net / of / yb8w7fg?

http: // songtinmungtinhyeu [.] org / yb8w7fg?

After its installation on the infected machine, all data is encrypted and added to the .lukitus file extension.

Update: VirusTotal now shows 23 of 57 antivirus solutions that detected this malicious file.

Here’s what you can do to protect from this new ransomware attack:

  • Backup, backup and backup again! Make sure you have at least 2 backups of your important data on external sources such as a hard drive or somewhere located in the cloud (Google Drive, Dropbox, etc.). This guide shows how to do it.
  • Update, update and update again! Once again, we remind users to install all the latest updates for their apps installed on the device, including the operating system.
  •  Do not open, download email (messages) or click on suspicious links received from unknown sources that could infect your device.
  • Make sure you have a security software product (antivirus) that is updated or use a  proactive security product to block access to infected domains or servers.

Ransomware attacks are on the rise and continue to appear in different forms. Once again, we remind you about the importance of being proactive and taking all needed security measures to protect your sensitive data.

*This article features cyber intelligence provided by CSIS Security Group researchers.

What is Ransomware
2017.05.15 SLOW READ

What is Ransomware and 15 Easy Steps To Keep Your System Protected [Updated]

where-malware-hides-featured
2016.10.27 SLOW READ

Practical Online Protection: Where Malware Hides

The Malware Economy
2015.06.23 QUICK READ

The Malware Economy

Comments

Hi,my documents was destroyed by lukitus ransom last week, including my baby son’s photoes. I can not afford the payment and even do not know whether he would give the private key after payment. Did creator left any email that I can negotiate with, thank you!

Hello Lu! Really sorry to hear about that, but there’s nothing you can do at this time. Paying the ransom doesn’t guarantee you’ll get your files back.

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP
172 queries in 1.680 seconds