After few months Locky ransomware reappeared

According to a Malwarebytes article, after it went dark for months, Locky ransomware returned with two new ‘flavors’. The new versions use new command and control servers. They also use two new affiliate IDs: AffillD3 and AffillD5.

The way that the ransomware is spreading has not changed much. It still uses phishing e-mails that contains malicious code into MS Office files or archived attachments.

Back in 2016, Locky ransomware was in top 3 along with Cryptowall and Cerber. It came back in 2017 but a little more quitter. On August the 9th it reappeared using a new ransomware note and the extension .diablo6 for encrypted files. After another week, a second version appeared using the .Lukitus extension for encrypted files.

Locky ransomware has its base code based on the banking trojan Dridex and it is associated with Necrus malware as distribution botnet. The Dridex trojan seems to be behind the theft of approximately 20 million punds from UK bank accounts. It was then reorganized for ransomware instead of stealing authentication data from online bank account platforms.

Stay alert when opening attachments that come from unknown sources and also a antivirus or antimalware solution is always welcomed. Better safe than sorry! is a phrase we use. 

Leave a Reply