Locky Gets Updated to ‘Ykcol, Part of Rapid-Fire Spam Campaigns

Cybercriminals behind the Locky ransomware have revamped the malware’s code three times in 30-day period and blasted out massive spam campaigns.
According to researchers at Trustwave, the latest variant of Locky ransomware is called Ykcol (that’s Locky spelled backwards) and was part of a Sept. 19 spam blast targeting 3 million inboxes within a three-hour period. Messages were sent from the notorious Necurs botnet.
尽管多年来我们一直致力于教育最终用户如何选择和使用一个好的密码,但是仍然很多人经常犯错,而大都是可以轻易避免的错误。不要成为经常犯低级错误的人,遵守良好的密码使用实践,您将会出人头地。
Related Posts
That campaign dovetails recent campaigns that pushed out Locky variants Lukitus and Diablo during the same 30-day period between Aug. 14 and Sept. 19. The Lukitus campaign started at the end of August and lasted more than a week, sending 15 million to 20 million emails.
“The behavior is the same, but the extensions used to encrypt the files and the malware binaries are constantly changing,” said Karl Sigler, threat intelligence manager for SpiderLabs at Trustwave. With Ykcol, encrypted files use the extension .ykcol. Sigler said Locky authors also “tweak” the malware’s binaries, only slightly changing code such as variable names or internal logic.
“They are constantly updating the malware to evade detection,” Sigler said.
As with a previous Lukitus version of the Locky, the Ykcol ransomware follows the same convention and is packed with Game of Thrones references. References in the malware’s Visual Basic script include “Aria,” “HoldTheDoor,” “SansaStark,” “Throne,”  and the misspelled “JohnSnow,”  and “RobertBaration.”
“What is most interesting with Ykcol is how it has changed its strategy when it comes to getting onto the victim’s system,” Sigler said.
Where Diablo used fake invoices and Lukitus tried everything under the sun from malicious URLs, Office docs and compressed script files (java or .vbs), Ykcol’s strategy is to send “vague” invoices that show up blank.
“With Ykcol they appear to limit the campaign to a fake invoice with minimal information. The attachment is a 7zipped VBScript that downloads Locky,” he said.  With 7zipped files, some A/V scanners may have trouble inspecting it since Zip and RAR are more typical compression methods.
If the malicious attachment is engaged a JS downloader uses either a XMLHttpRequest object (that can be used to request data from a web server) or PowerShell commands to download the binary files. Additionally, the attachment’s macro script is also responsible for executing the downloaded binaries.

“It’s about options. Local endpoint protection may have heuristics looking for scripts to invoke Powershell or the XMLHTTP methods of downloading. By using both, one or the other may be able to bypass those protections,” Sigler said.
He added, from Diablo to Ykcol the cost of ransom dropped from .5 bitcoins to .25 bitcoins or fr $2000-$2500 to $1000-$1250.  He also noted, while there is a free decryption key for older versions of Locky, it won’t work on the newer versions.
Over the past two years, 35 unique ransomware strains earned cybercriminals $25 million, with Locky and its many variants being the most profitable, according to a study released in July by Google, Chainalysis, UC San Diego, and the NYU Tandom School of Engineering. Locky has pulled in $7 million in ransomware payments since 2016.
电子邮件安全意识仍然很重要
“These behaviors reveal a constantly evolving bag of tricks, where the campaigns change daily, yet deliver the same ultimate payload,” wrote Trustwave in an upcoming blog post outlining the research.
Trustwave said it suspects Ykcol has run its course and that cybercriminals behind the Locky ransomware are already working on an updated variant.
安全是一项持续的过程,公司还需定期举行各类安全意识培训,以便能及时将最新的安全威胁和应对方法告知员工。

猜您喜欢

鄂旗发放社会保障卡9万多张
广告软件与免费的防病毒软件
Security-Frontline-安全前线
中国超算打破西方封锁包揽冠亚军 美国无缘前三
FUNERALS AXONOPTICS
网络安全宣传周公益教育动画APT高级持续威胁