Cybercriminals behind the Locky ransomware have revamped the malware’s code three times in 30-day period and blasted out massive spam campaigns.
According to researchers at Trustwave, the latest variant of Locky ransomware is called Ykcol (that’s Locky spelled backwards) and was part of a Sept. 19 spam blast targeting 3 million inboxes within a three-hour period. Messages were sent from the notorious Necurs botnet.
That campaign dovetails recent campaigns that pushed out Locky variants Lukitus and Diablo during the same 30-day period between Aug. 14 and Sept. 19. The Lukitus campaign started at the end of August and lasted more than a week, sending 15 million to 20 million emails.
“The behavior is the same, but the extensions used to encrypt the files and the malware binaries are constantly changing,” said Karl Sigler, threat intelligence manager for SpiderLabs at Trustwave. With Ykcol, encrypted files use the extension .ykcol. Sigler said Locky authors also “tweak” the malware’s binaries, only slightly changing code such as variable names or internal logic.
To read the original article:
Learn more about ‘Locky’: