Mass email campaign

Recently, researchers at two security companies have independently detected two massive email campaigns, broadcasting two different but new variants of Locky ransomware. The campaign discovered by AppRiver researchers sent more than 23 million messages containing Locky ransomware in just 24 hours on August 28 in the United States in what appears to be one of the largest malware campaigns in the second half of this year.

Locky Lukitus

According to the researchers, emails sent in the attack were “extremely inaccurate”, with subjects such as “print, please”, “documents”, “images”, “photos”, “drawings” and “scans”. victims to become infected with Locky ransomware. The email comes with a ZIP attachment (hidden malware payload) that contains a Visual Basic Script (VBS) file inside a secondary ZIP file. Once a victim is cheated to click on it, the VBS file starts a downloader that downloads the latest version of Locky ransomware, called Lukitus and encrypts all files on the targeted computer. Once the encryption process is complete, the malware displays a ransomware message on the victim’s desktop that instructs you to download and install the Tor browser and visit the attacker’s site for additional instructions and payments. This Locky Lukitus variant asks a sum of 0.5 Bitcoin from the victims to pay for a “Locky decryptor” in order to recover their files. This Lukitus attack campaign is still ongoing, and AppRiver researchers have quarantined more than 5.6 million messages in the Monday morning campaign. Unfortunately, this variant is impossible to decipher at the moment.


In an independent investigation, security firm Comodo Labs uncovered another massive spam campaign in early August, which sent more than 62,000 spam messages with a new variant of Locky ransomware in just three days in the first stage of the attack. Nicknamed IKARUS, the second variant of this ransomware has been distributed using 11,625 different IP addresses in 133 different countries, probably made with a botnet of zombie computers to perform coordinated phishing attacks. The original attack was first identified on August 9 and lasted three days. It used unwanted e-mail messages that also contained a Visual Basic Desktop (VBS) attachment. This malicious file, if clicked, followed the same operation mentioned in the previous case. Cybercriminals operating Locky’s IKARUS variant require bailouts between 0.5 and 1 Bitcoin to decrypt the files. This massive ransomware campaign has attacked tens of thousands of users around the world, with the top five countries being Vietnam, India, Mexico, Turkey, and Indonesia. It is best to be alert to emails that we can receive and that we are not sure. Always keep your system updated and with software that allows us to deal with possible threats. So, what do you think about this? Simply share your views and thoughts in the comment section below.