The operators of the proliferate Locky ransomware appear to be hard at work. Last week, security experts identified a new variant of Locky, dubbed Diablo6, being distributed in fresh attacks across the globe. Now, the cybercriminals operating Locky have come up with another new variant dubbed Lukitus. Locky's fresh spam campaign is now being boosted by the Necurs.
The latest Locky campaign is making use of a new malicious file to encrypt victims' data, according to Malwarebytes researcher Marcelo Rivero. In this case, Locky's spam email campaign is making use of a malicious PDF file to steal victims' files. The new campaign also makes use of a different C&C (command and control) server, presumably in efforts to evade detection.
"Since the return on Aug. 9, we see a new daily campaign, which is increasing in its aggressiveness and generates almost 1 spam per second," Malwarebytes told IBTimes UK. "The campaigns are global - but certainly the US is among the most targeted."
Bleeping Computer reported that at present, the cybercriminals operating Locky are currently demanding a ransom of 0.49 bitcoins ($2,000).
Unfortunately, there is no decryption tool available for Locky's two new variants. Meanwhile, the two variants are being pushed by the Necurs botnet, which has previously also been used to boost other malware variants, including Dridex and TrickBot. Necurs, considered one of the world's worst botnet went offline earlier in the year, during which time Locky's distribution also dropped.
"Over the last few months, Locky has drastically decreased its distribution, even failed to be distributed at all, then popped back up again, vanished and reappeared once more," Rivero said. "The ups and downs of Locky remain shrouded in mystery. One thing time has taught us is that we should never assume Locky is gone simply because it's not active at a particular given time."