Multiple Spam Waves Detected Pushing New Locky Ransomware Version

[LASER_oneXM]

Reports are coming in from multiple security researchers and security firms about increased activity from one of the groups spreading the Locky ransomware.

These spam waves have started on September 18 and are pushing the new Locky ransomware variant that encrypts files with the .ykcol extension, which was also released on the same day.

Six big spam waves detected
Six big spam waves pushing the Locky ykcol version were seen in the past few days. Locky versions distributed by these spam waves have embedded the #3 affiliate ID, belonging to the same group that was also busy pushing Locky spam at the start of the month.

These Locky spam waves have been seen by Fortinet (authors of the graph breakdown below), Barkly, Barracuda, Brad Duncan, and My Online Security [1, 2, 3].

The spam waves had an immediate impact on submissions from infected users on ID-Ransomware, a service that lets users identify the type of ransomware that infected their PC.

The graph below, provided by security researcher MalwareHunter, shows a spike in Locky detections on September 18, when the new Locky ykcol version was first detected, and the spam waves from affiliate group #3 began.

Bleeping Computer understands that at the time of writing, the increased spam activity from Locky affiliate ID #3 is still ongoing. There is no known method of breaking Locky encryption, so users are advised to be careful when downloading and running attachments, or clicking on links in emails from unknown senders.