Locky Ransomware Makes a Comeback with New .Diablo6 and .Lukitus Variants

Tim Hux contributed to this blog.

Old threats die hard it seems as Locky ransomware, one of the most powerful threats out there, is back in town. Historically, we’ve seen this ransomware do serious damage, as it has rapidly adapted its capabilities to keep victims and security researchers bewildered. Now, it’s evolved with two new forms to become even more stealthy and advanced.

First, let’s back up – where did Locky get its start? Locky was discovered in late 2015 and has been one of the most prevalent ransomware threats to date, contending with the likes of Cerber, Petya, Spora, and WannaCry. In 2016, Locky hit its stride – infecting millions of users worldwide primarily through malicious attachments in spam emails. To become more agile, the malware changed what extension is appended to encrypted files and utilized the .locky, .zepto, and .odin extensions across unique instances. Fast forward to 2017 and the stealthy ransomware is back on the scene—equipped with two variants that leverage either the .Diablo6 or .Lukitus extension for encrypting files.

What do these .Diablo6 and .Lukitus variants look like? Both variants are distributed via spam emails, though this particular campaign sends them in the form of PDF attachments with embedded .DOCM files. They’re also spread through the Necurs botnet, which Locky used in the past.

Beyond utilizing the Necurs botnet, both variants do carry some other callbacks to older versions Locky. All variants (old and new) contain a flag in the code that checks if the language of the Windows operating system is Russian and will not run and encrypt victims’ files if so. This is most likely because the majority of Locky attacks are originating from Russia, as exemplified in this map below.

Given both .Diablo6 and .Lukitus are demanding a ransom of .49 BTC (roughly $1,900.00) for the decryption key to unlock the infected files and those behind Locky have yet to be identified, the next question is – what can users do to stay secure?

Start with education. Since the latest two variants of Locky come in the form of spam email with zip or rar attachments, it’s important everyone is trained on how to deal with suspicious emails. Additionally, be sure to back up your data often in case you need to wipe your device clean after an attack. You can do this by utilizing a backup drive or by backing up to the cloud. This way, you can easily retrieve your important information without paying a ransom.

Stay up-to-date on Locky ransomware and others like it by following @McAfee and @McAfee_Business.

Leave a Comment

2 × two =