A new "aggressive" Locky ransomware campaign has seen cybercriminals launch around 20 million fresh attacks in just a day. Security experts say that the new campaign has begun recently, indicating that more attacks may be imminent, should the campaign continue with the same intensity.
According to security researchers at Barracuda Advanced Technology Group, who have been monitoring the attacks, the largest volume of ransomware attacks appears to be coming from Vietnam, indicating that organisations there may be hit hardest. The hackers also targeted India, Columbia, Greece and Turkey.
"These attacks have been morphing throughout the day, but they all use fake source email addresses. The earliest examples came from Vietnam and Greece," Barracuda researchers said in a report.
"This kind of large-scale attack was inevitable. Criminal organisations now realise that a certain percentage of ransomware victims will pay the ransom, so the bigger the campaign, the larger the number of victims who will pay up. A Greater financial opportunity has seen ransomware going 'corporate' in recent times. The trend towards larger and larger campaigns doesn't show any signs of slowing in the future," Barry Shteiman, director of threat research at Exabeam told IBTimes UK.
The attacks were initially launched via a generic email. However, later, the hackers disguised the emails as purporting to be from "Herbalife." Researchers have identified around 6,000 "fingerprints" hinting that the attacks are being automatically generated. The attacks are using a single Locky variant with one identifier. Researchers say that the identifier allows the hackers to identify the victims, so when they pay up, the attackers can give them the decryption key.
"In this attack, all victims get the same identifier, which means that victims who pay the ransom will not get a decryptor because it will be impossible for the criminal to identify them," Barracuda researchers said. "This attack is also checking the victim computer language files, which may lead to an internationalized version of this attack in the future."
Researchers also observed tow new wrappers, one impersonating a voicemail message and another impersonating invoicing from marketplace.amazon.uk. However, no increase in the attack targeting UK domains has been observed. "We are still observing approximately 1 million of these attacks per hour, though we may see an uptick with the new wrappers," researchers said.