'Massive' Locky ransomware campaign hits hospitals in US, Japan and South Korea

The prolific Locky ransomware has set its sights on industries and primarily the healthcare sector. A "massive" campaign spotted by security researchers in August, was found to be delivering Locky via email phishing campaigns. The top three nations targeted by the ransomware were the US, Japan and South Korea. Hospitals in these three countries were especially hit hard by the ransomware campaign.

According to FireEye security researcher Ronghwa Chong, the current campaign saw a shift in Locky being delivered via macro-enabled DOCM word files, while a previous campaign noted by the security firm involved hackers using a JavaScript attachment to drop the ransomware and infect systems.

"In this instance, we are seeing a shift from using a JavaScript based downloader to infect victims to using the DOCM format. These detection spikes and change in tactics suggest that the cybercriminals are investing more to infect systems and maximise their profits. Additionally, we have observed that the delivery of Dridex via this distribution channel seems to have stopped, or nearly so, which could explain why we are seeing the Locky uptick," Chong added.

Locky is a popular ransomware strain among cybercriminals, which after infecting victims' systems, encrypts their files, prompting victims to pay up a ransom to get back their stolen data. In March, security researchers noted a substantial spike in Locky's activities. Locky gained notoriety after the high-profile attack on the Hollywood Presbyterian Medical Centre, which saw the hackers behind the ransomware making away with $17,000 in Bitcoins as ransom.

FireEye noted that each of the email campaigns came with a "specific 'one-off' campaign code that is used to download the Locky ransomware payload from the malicious malware server". The ransomware also affected the manufacturing, telecom and transportation industries, among others. Countries, including Germany, Hong Kong, Saudi Arabia, Australia, Canada and UK were also targeted by the Locky campaign. It is still unclear as to how many were affected by the Locky campaign.

"The volume of Locky ransomware downloaders is increasing and the tools and techniques being used in campaigns are constantly changing. On top of that, cybercrime trends have shown that attackers are distributing more ransomware these days than banking trojans, as the former appears to be more lucrative. These latest campaigns are a reminder that users must be cautious when it comes to opening attachments in emails or they run the risk of becoming infected and possibly disrupting business operations," Chong said.