Security researchers were caught off-guard by a sudden attack from hackers, controlling Locky ransomware. The main confusion occurred because people assumed that a new variant appended .ykcol extension to the encoded data. However, the assumption was incorrect as the good-old-buddy Locky decided to introduce a new variant. As you might have already heard, a variant called Lukitus has recently been distributed in a massive spam campaign. The activity of this ransomware has increased in the last couple of months and people should be extremely cautious.
Spam campaign distributes this version of Locky
The main distribution channel for Locky has always been considered to be the malicious email letters. Even though this ransomware has been noticed to be transmitted by pop-ups, the biggest number of victims should be coming from campaigns of emails, containing payloads or their downloaders.
The campaign, delivering this sample of Locky, has been determined to contain attachments that are either 7zip or 7z. These file types are possible when it comes to distribution of ransomware, but crooks are more eager to select .word or .pdf documents as payloads. However, this does not change the fact that malicious 7zip or 7z files are going conceal a VBS file. From the fraudulent message, users will not immediately download a payload of Locky. In fact, they will only get a downloader which will obtain the actual payload from C&C servers.
Like most of the versions of Locky, this one will also rename selected digital data so it could no longer be recognizable. To provide victims with information about the infection, ykcol.htm and ykcol.bmp will be appended in the computer, presumably the desktop. This version requires 0.25BTC as the ransom.
Security researchers have discovered that malicious email letters will have titles of “Status of invoice” and will be send from the following list of senders: Freida Loomis, Georgina Catrol, Kaitlin Fergusson, Dorothea Jacks and many more. Also, it has been determined which websites will be contacted by the downloader file. As you know, as soon as a specific domain is contacted, the payload of Locky will be implanted into an operating system.
hxxp://grovecreative.co.uk/87thiuh3gfDGS?
hxxp://lanzensberger.de/87thiuh3gfDGS?
hxxp://miliaraic.ru/p66/87thiuh3gfDGS
hxxp://pielen.de/87thiuh3gfDGS?
hxxp://unifiedfloor.com/87thiuh3gfDGS?
hxxp://qstom.com/87thiuh3gfDGS?
hxxp://troyriser.com/87thiuh3gfDGS?
hxxp://w4fot.com/87thiuh3gfDGS?
hxxp://www.elitecommunications.co.uk/87thiuh3gfDGS?
hxxp://yildizmakina74.com/87thiuh3gfDGS?
hxxp://accountingservices.apec.org/DKndhFG72?
hxxp://cornyproposals.com/DKndhFG72?
hxxp://dmlex.adlino.be/DKndhFG72?
hxxp://eurecas.org/DKndhFG72?
hxxp://georginabringas.com/DKndhFG72?
hxxp://lasdamas.com/DKndhFG72?
hxxp://montecortelhas.com/DKndhFG72?
hxxp://pnkparamount.com/DKndhFG72?
hxxp://targeter.su/p66/DKndhFG72
hxxp://walkama.net/DKndhFG72?
hxxp://wenger-werkzeugbau.de/DKndhFG72?
Therefore, do not mistake this Locky version, adding .ykcol extension, with an new and unrelated variant. Locky is one of the most annoying malware that refuses to stop bothering users. Hackers hid a funny clue in the new variant. The word .ykcol is actually Locky spelled backwards. Well, now that is one way to mock security researchers and confuse them. Lastly, this Locky version uses Necurs botner for its distribution: just like most of the related viruses.
Source: malware-traffic-analysis.com.