We have had an almost 2 week break from Locky ransomware. This morning in UK we suddenly see the return. It is almost as if they have timed the new version to spam out on Thanksgiving day in USA , where the AV companies and security teams are off on their long weekend holiday. The next in the never ending series of downloaders from the Necurs botnet is an email with the subject of scanned from ( printer or scanner name) pretending to come from copier@ your own email address or company domain.
However it is definitely a ransomware but doesn’t look like Locky. The ransom note is very different . These all have blank email bodies with just an attachment and the subject. Whether this is a new version of Locky ransomware or a new ransomware using the Locky / Necurs distribution networks is open to debate at the moment
Looking at the Online sandbox reports appear to indicate that these do not change the file extension when they encrypt it
I am not certain that there are running properly and fully encrypting. The ransom note is overly complicated with no obvious way for the victim to easily pay the ransom. They are asking the victim to email with the personal identification key in the txt file. This would mean it needs manual sending of any decryption keys and not automatic as in previous cases.
The new ransom note is called IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT
They use email addresses and subjects that will entice, persuade, scare or shock a recipient to read the email and open the attachment.
You, your email server or any device on your network has not been hacked or had their email or other servers compromised. They are not sending the emails to you. They are just innocent victims in exactly the same way as every recipient of these emails.
The subjects in this vary but are all copier or scanner related
- Scanned from Lexmark
- Scanned from HP
- Scanned from Canon
- Scanned from Epson