October 28, 2016
More than 14 million emails carrying the Locky ransomware variant were sent out to unsuspecting potential victims earlier this week, according to research conducted by security firm AppRiver.
The massive campaign likely relied on at least one botnet to send the barrage of emails, said analyst Jonathan French. Each email carried a malware-laden attachment causing a computer’s data to become encrypted when opened, holding the information ransom until payment is sent to the hacker.
Locky is a common, Windows-based ransomware variant that was first discovered in Feb. 2016. The typical ransom price to receive a decryption key for Locky is roughly .5 bitcoin, which is around $340 as of this article’s publication.
AppRiver was able to monitor the flood of Locky emails on Oct. 24 by tracking activity on a global network of honeypot servers deployed by the company.
“Virus hits are tabulated on a global scale across our servers,” French explained, “we are able to pull the hit statistics for a rule we have and see the counts over time. If we know which specific rule is blocking which campaign — such as one we add for brand new malware variants — we are able to give a size to the amount of emails caught as well as a time frame.”
French believes the immense one-day Locky campaign was likely perpetrated by a single, coordinated group of actors.
“The initial guess is due to the sudden drop in traffic during the 3 p.m. time frame and then a subsequent jump in virus traffic again,” French said, “it seems unlikely two botnets would be that coordinated in sending malware. Looking closer at some of the sending IP addresses between the two, we can see that many of the IPs were active during both malware pushes.”
Prior to Monday’s campaign, the Locky ransomware variant had remained relatively dormant for several weeks, with few cases being reported or spotted in the wild, security researchers tell CyberScoop.
It remains unclear why the authors behind Locky apparently went underground for a brief period of time. It is possible that the botnets being used to distribute the malware may have required some sort of upgrade or maintenance, causing a lull in activity, said French.
Stopping the spread of ransomware, especially attacks aimed at American businesses, has become a major initiative for the FBI. Director James Comey, for example, has asked the private sphere to “trust” the Bureau and to consistently report ransomware attacks when they see them rather than to pay the ransoms quietly.
Consistent with FBI policy, a spokesperson said regarding this week’s flood of Locky ransomware: “we can neither confirm nor deny whether a matter is under investigation.”