A second wave of the Locky ransomware variant called IKARUSdilapidated has been identified by security experts. The source of the ransomware is a botnet of zombie computers coordinated to launch phishing attacks that send emails and attachments appearing to come from a targeted recipient’s trusted business-class multifunction printer.
This is the second wave of IKARUSdilapidated ransomware spotted in the past month, according to Comodo Threat Intelligence Lab. The original attack, first identified on Aug. 9 and lasting three days, utilized spam messages that contained little to no content along with a malicious Visual Basic Script attachment.
“This is a more mature campaign, targeting office workers whose workstations are part of a corporate network linked to multifunction scanners and printers,” said Fatih Orhan, director of technology at Comodo, in an interview with Threatpost. “As many employees today scan original documents at the company printer and email them to themselves and others, this malware-laden email will look very innocent.”
This most recent campaign was delivered over the course of three days starting Aug. 18 in three stages. The first two stages of the attack were the largest and involved the bogus scanned image attachment.
“In contrast to the initial (Aug. 9) 2017 IKARUSdilapidated Locky campaign, which distributed malware with the ‘.diablo’ extension and a script that is a Visual Basic Script, both new attacks have interesting variations to fool users with social engineering and to fool security administrators and their machine learning algorithms and signature-based tools,” researchers said in a technical analysis of the attack.
The name of the Locky ransomware strain IKARUSdilapidated is derived from a text string found in the code of the malicious file downloaded by the dropper. Researchers say IKARUSdilapidated is a variant of Locky because they share many of the same characteristics such as encrypted filenames converted to a unique 16-letter and number combination.
“This shows that the malware authors are evolving and changing methods to reach more users and bypass security methods,” Orhan said.
According to an analysis of the botnet used in the attacks 54,048 IP addresses were used in the “scanned image” campaign – 27 percent of those were also used in the original attack that began on Aug. 9. The top source countries behind the “zombie computer” botnet are Vietnam, Turkey, India and Mexico. Targeted countries included European and Southern Asia-based countries with minimal targeting of the United States and Russia.
Locky is notorious for its effectiveness and profitability. Over the past two years, Locky has extorted more than $7.8 million in payments from victims, according a recent study by Google, Chainalysis, UC San Diego, and the NYU Tandon School of Engineering.