Locky Ransomware Is Back Once Again

Locky remains one of the largest ransomware threats to date. Although security researchers thought Locky would be replaced by a new type of ransomware, that may not be the case after all. Spam volumes for this “oldschool” malicious software threat are showing signs of increased activity, although there is no large-scale campaign to speak of just yet. Instead, the distributors are testing the waters with two smaller Locky campaigns, for the time being.

Will Locky Make A Surprise Return?

Depending on how these two smaller ransomware distribution campaigns play out, it is highly likely the world will be faced with a new Locky threat very soon. It has been quite some time since this particular type of malware has been distributed on a large scale, During the last Locky campaign, this malicious software was mainly distributed through the Necurs botnet, which has been silent as of December 2016.

The two recent low-volume malware spam campaigns may hint at what is to come, though.  Although there are less than 1,000 email payloads sent out so far, this could be nothing more than just a minor test. If these campaigns prove to be somewhat successful, security experts predict a new large-scale Locky campaign to occur over the coming weeks. If that is the case, a 70-fold increase in email payload volumes is to be expected.

Unfortunately, it appears these two smaller campaigns revolve around a slightly updated version of the Locky ransomware. In one case, the malware is distributed through a zip file within a zip file. The other variant uses the .rar extension. This seems to hint at how this is a mere test to see if changing up the file extension will trick more users into downloading and extracting the data archive.




One tell-tale sign of how these email campaigns should be ignored is how they contain no email body, nor a subject line. All users receive is a blank email with an attachment, in which is another archived file is hidden. This second file extracts to a JavaScript file, which will download the Locky payload once it is executed on a computer.

However, researchers discovered this malicious JavaScript file does not only download the lucky ransomware payload. Instead, it also performs a GET request for the Kovter Trojan, which is often used in click-fraud schemes. This indicates that, even when a victim pays to get the Locky ransomware removed, they will still have to deal with the Kovter Trojan as well.

It is not the first time both Locky and Kovter are distributed through the same campaigns. Over the past few months, both variants of malicious software have been grouped quite often, and it remains this is a quite potent combination so far. Piggybacking on Locky ransomware distribution is a smart strategy by the Kovter developers. Then again, this “collusion” may hint at the close collaboration between the two teams.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.