Locky Ransomware Makes a Comeback with New .Diablo6 and .Lukitus Variants

By on

Tim Hux contributed to this blog.

Old threats die hard it seems as Locky ransomware, one of the most powerful threats out there, is back in town. Historically, we’ve seen this ransomware do serious damage, as it has rapidly adapted its capabilities to keep victims and security researchers bewildered. Now, it’s evolved with two new forms to become even more stealthy and advanced.

First, let’s back up – where did Locky get its start? Locky was discovered in late 2015 and has been one of the most prevalent ransomware threats to date, contending with the likes of Cerber, Petya, Spora, and WannaCry. In 2016, Locky hit its stride – infecting millions of users worldwide primarily through malicious attachments in spam emails. To become more agile, the malware changed what extension is appended to encrypted files and utilized the .locky, .zepto, and .odin extensions across unique instances. Fast forward to 2017 and the stealthy ransomware is back on the scene—equipped with two variants that leverage either the .Diablo6 or .Lukitus extension for encrypting files.

What do these .Diablo6 and .Lukitus variants look like? Both variants are distributed via spam emails, though this particular campaign sends them in the form of PDF attachments with embedded .DOCM files. They’re also spread through the Necurs botnet, which Locky used in the past.

Beyond utilizing the Necurs botnet, both variants do carry some other callbacks to older versions Locky. All variants (old and new) contain a flag in the code that checks if the language of the Windows operating system is Russian and will not run and encrypt victims’ files if so. This is most likely because the majority of Locky attacks are originating from Russia, as exemplified in this map below.

Given both .Diablo6 and .Lukitus are demanding a ransom of .49 BTC (roughly $1,900.00) for the decryption key to unlock the infected files and those behind Locky have yet to be identified, the next question is – what can users do to stay secure?

Start with education. Since the latest two variants of Locky come in the form of spam email with zip or rar attachments, it’s important everyone is trained on how to deal with suspicious emails. Additionally, be sure to back up your data often in case you need to wipe your device clean after an attack. You can do this by utilizing a backup drive or by backing up to the cloud. This way, you can easily retrieve your important information without paying a ransom.

Stay up-to-date on Locky ransomware and others like it by following @McAfee and @McAfee_Business.

Leave a Comment

Similar articles

At the end of last year, a survey revealed that the most popular password was still “123456,” followed by “password.” These highly hackable choices are despite years of education around the importance of password security. So, what does this say about people who pick simple passwords? Most likely, they are shooting for a password that is ...
Read Blog
If you’re a gamer, you know how important virtual currency is. It allows you to purchase new costumes and weapons to personalize your avatar. But how does one go about gaining virtual currency? Players complete in-game challenges and are rewarded with coins to spend in their virtual world. These challenges can be pretty difficult and ...
Read Blog
Cryptocurrency mining is the way transactions are verified and added to the public ledger, a database of all the transactions made around a particular piece of cryptocurrency. Cryptocurrency miners compile all of these transactions into blocks and try to solve complicated mathematical problems to compete with other miners for bitcoins. To do this, miners need ...
Read Blog