The Ransomware Epidemic: 23 Million Spam Emails Distribute Locky in a Single Day

AppRiver researchers recently observed more than 23 million spam emails sent in a single 24-hour period as part of a massive campaign distributing Locky ransomware. The researchers called it “one of the largest malware campaigns that we have seen in the latter half of 2017.”

The spam emails, which use the subject lines “please print,” “documents,” “photo,” “images,” “scans” and “pictures,” hold ZIP attachments containing VBS files. When opened, the VBS file downloads the Locky ransomware, which then encrypts all files on the victim’s system and demands 0.5 bitcoins (approximately $2,450) to decrypt them.

According to Malwarebytes Labs, that campaign is one of several currently distributing Locky, one of which, distributed via a malicious Word document, waits until the doc is closed before activating. The aim in that case, the researchers note, is to “exhibit a harmless behavior in many sandboxes while still infecting end users.”

Comodo researchers also report that a second wave of the IKARUSdilapidated ransomware, a new Locky variant, is being distributed in emails claiming to deliver scanned images from a scanner or printer at the victim’s organization, or masquerading as billing inquiries from the French post office.

“These malware authors are evolving and changing methods to reach more users and bypass security methods,” the researchers note.

Late Arrival

Webroot senior threat research analyst Tyler Moffitt told eSecurity Planet by email that the surge in ransomware distribution is happening unusually late in the year. “Locky was the number one ransomware infection used by cybercriminals in 2016,” he said. “We saw a decline of the Locky ransomware during the holiday period, which is normal if you consider the fact that most criminals take a ‘vacation’ during this time and are usually back around the January – February timeframe.”

But this year, Moffitt said, Locky campaigns didn’t show up until April. “Even then, the number we saw weren’t nearly the same numbers that Locky had infected the previous year,” he said. “August has seen a huge revamp with the necurs botnet, and millions of spam emails have been sent to victims all around the world.”

Balbix founder and CEO Gaurav Banga said by email that this should serve as a reminder of how significant a threat phishing really is. “Unfortunately, enterprises have no good way of measuring phishing risk for users across the enterprise to identify those that are most susceptible to such attacks and have access to sensitive data with high business impact,” he said. “With continuous phishing risk visibility, enterprises can get ahead of such attacks and prevent them before they happen.”

Security Shortcomings

Still, a Tripwire survey of 108 security professionals at Black Hat USA in July 2017 found that 68 percent of respondents didn’t feel confident their enterprises made the necessary improvements to protect against cyber attacks following the NotPetya and WannaCry ransomware outbreaks.

When asked what their organizations’ security shortcomings were, respondents’ leading answer was network device discovery at 28 percent, followed by vulnerability management (14 percent), administrative privilege management (6 percent) and audit log reviews (6 percent).

“Adopting best practices and leveraging critical security controls continues to be the best bet for defending against advanced adversaries, and can help close the gap within a business’ security infrastructure,” Tripwire vice president of product management and strategy Tim Erlin said in a statement.

“There is solid research that supports the claim that the vast majority of attacks are due to known vulnerabilities and preventable misconfigurations,” Erlin added. “It is important to understand that good security hygiene will greatly reduce the effectiveness of an attack and goes a long way to making the attacker’s job more difficult.”

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles