Comodo researchers recently uncovered a new ransomware campaign that launched on August 9, targeting tens of thousands of victims with a simple email delivering just an attachment and no text.
The attachment is a zip file with the name “E 2017-08-09 (xxx).xxx,” with the number in parentheses and the file extension varying with each email.
When executed, the attachment downloads a new Locky ransomware variant called IKARUSdilapidated.
“Named for the appearances of ‘IKARUSdilapidated’ in the code string, it is clearly related to the ‘Locky’ Trojan and shares some of its characteristics,” the researchers note. “As a new malware variant, it is read as an ‘unknown file’ and is allowed entry by organizations not using a ‘default deny’ security posture (which denies entry to all unknown files until it is verified that they are ‘good’ files and are safe to have enter the IT infrastructure).”
When the victim opens the attached document, it appears to be unreadable, with the phrase “Enable macro if data encoding is incorrect,” a social engineering technique intended to trick the user into enabling macros. If the victim does so, the macros then run a binary file that downloads an encryption Trojan, which then encrypts all files that match specific extensions.
The victim is then directed to download the Tor browser and visit a specific website that demands a ransom payment of between 0.5 and 1 bitcoin to decrypt the victim’s files.
Comodo-protected endpoints detected more than 62,000 phishing emails delivering the new threat on August 9, 10, and 11 alone.
Over 11,000 different IP addresses from 133 different countries were used to deliver the attacks. “This quantity of servers can only be used for a specific task if they are formed into a large bot network (or botnet), and have a sophisticated command and control server architecture,” the researchers note.
A $25 Million Threat
At Black Hat USA 2017 last month, researchers presented the results of a study by Google, Chainalysis, UC San Diego and the NYU Tandon School of Engineering, which found that 35 ransomware strains earned cybercriminals $25 million over the past two years.
At $7.8 million in payments, Locky and its variants were the most profitable form of ransomware, Kaspersky reports.
“Ransomware is here to stay, and we will have to deal with it for a long time to come,” Google senior strategist Kylie McRoberts said.
Tripwire principal security researcher Travis Smith told eSecurity Planet by email that the main reason for ransomware’s popularity is the fact that cybercriminals can profit from it so quickly. “For ransomware, the attacker just needs one low-level employee to click a link or open an attachment,” he said.
“That one click then allows them to immediately be paid hundreds, if not millions, of dollars in nearly anonymous cryptocurrency,” Smith added.