Over the past days, the developers of Locky ransomware have intensified their operations and distributed thousands of spam emails containing malicious files. Once opened, the files would install a brand new version of Locky which can even operate without any Internet connection.
After observing the campaign, the security company F-Secure reported that, on July 12, the creators of Locky ransomware have sent out a whopping 120,000 spam email messages every hour in two massive surges of activity.
Identically to the previous Locky campaigns, these files were ZIP archives containing a JavaScript file, which, when executed, installed the Locky ransomware on the system. The experts from the German security vendor Avira, detected a new version of Locky ransomware which can work in “offline mode.”
The Avira researchers said that they registered the new Locky variant on July 12, which is the same day when the spam surge happened. Nevertheless, the experts reported independently of F-Secure, so it is not yet officially confirmed that it was the spam wave that delivered the new variant of the ransomware.
The new version of Locky is very different from the previous Locky variants, which needed an Internet connection to start the encryption process. Because of this, network administrators discovered that, by shutting down Internet access to a company when they detected one Locky infection, they could also stop subsequent computers from being compromised.
Apparently the developers of Locky have addressed this issue and have now created a version which can work around this limitation, albeit using a weaker encryption method.
“That [speaking of Locky’s offline mode] makes it tougher to block,” said Lyle Frink from Avira. “But, this new variant may have the weakness that once someone has paid the ransom for their private key ID – it should be possible to reuse the same key for other victims with the same public key.”
This might be useful when it comes to corporate environments, where the creators of Locky are known to ask for more money than usual, due to the fact that they managed to infect a computer holding more precious data.
As the Locky offline version generates the same ID per computer, unlike its online version that generates different IDs per infection, the ransomware victims can pull the computer from the enterprise network, reinfect it, pay the ransom, and then use the decrypter to recover the files at a lower price.
