Ransomware infections are surging as 'Locky' evolves into an effective cyberweapon

Security experts are warning that a sudden surge in ransomware is hitting unwitting internet users disguised as junk mail that, if opened, will lock down computer systems and charge hundreds of pounds for the release of personal files.

The spike in attacks has been blamed on the rapid ascension of a new malware strain dubbed 'Locky' that only appeared on the scene two weeks ago but has already gained notoriety for its effectiveness. Like many other ransom-based malware, Locky currently charges infected users bitcoin in exchange for access to encrypted files.

The initial strain of Locky, first exposed by Palo Alto Networks on 16 February, was discovered in macros for Microsoft Word. However, experts are now warning that its developers have switched to using Javascript-based attachments. Locky is distributed through spam messages and is thought to be using the same botnet as the infamous banking malware Dridex.

"We are currently seeing extraordinary (sic) huge volumes of JavaScript attachments being spammed out, which, if clicked on by users, lead to the download of a ransomware," revealed Rodel Mendrez, security researcher with Trustwave. "Our spam research database saw around four million malware spams in the last seven days, and the malware category as a whole accounted for 18% of total spam arriving at our spam traps."

Over the past 30 days, Trustwave experts said they recorded concentrated bursts of ransomware activity and at one point a peak of 200,000 emails hit their servers in a single hour.

Playing in the big league

Yet Trustwave is not the only major security firm to be noticing this surge in ransomware activity with experts at Fortinet also publishing evidence that Locky has quickly taken a place beside other established ransomware strains like Crytowall and TeslaCrypt.

"Locky already covers a big chunk of the infections in the two weeks of its existence. It also surpassed TeslaCrypt infections which shows significantly lower hits," reported security researcher Roland Dela Paz.

By analysing a massive 18.6 million hits from CryptoWall, TeslaCrypt and Locky communications combined, Locky alone accounted for a significant 16.47% of the total amount – not bad for the new malware on the block.

Steve Ward, senior director at security firm iSIGHT Partners told IBTimes UK: "Locky is likely operated by the same actors managing Dridex botnets and, barring law enforcement intervention, will highly likely remain a significant threat for the long-term."

Ransomware attacks have been hitting a number of high-profile targets since the beginning of the year, with the most recent targeted being a US-based hospital which was forced to pay cybercriminals $17,000 in order to remove the malware and unlock crucial computer systems.

"Ransomware is a particularly nasty form of malware because once you are hit with its encryption, your files are toast," Rahul Kashyap, principal systems engineer with security firm Bromium recently told IBTimes UK.

"Anti-virus can't do anything to bring those encrypted files back to you. Many times, when you are hit with ransomware it is impossible to get your files back because the payment processing may fail or the encryption keys may not work. The ransomware trend will only continue if those infected continue to pay the ransom. We cannot encourage this behaviour, so we suggest these ransoms are not paid."