The Locky Ransomware returns, for the second time, infecting computers with an innovative yet effective phishing scheme.

Previously, a ransomware known as Locky had made chaos across the world in 2016, and devastated a great number of computers worldwide.

On August 2017, said ransomware made its way back into cyberspace using the Diablo6 variant, and targeted  computers in the United States, followed by Austria.

The ransomware variant comes in an email containing a Microsoft Word file as an attachment, which when opened, a VBS Downloader script is executed that then attempts to download the Locky Diablo6 payload from a remote file server.

The ransomware then encrypts the files using RSA-2048 key (AES CBC 256-bit encryption algorithm) on the infected computer before displaying a message that instructs victims to download and install Tor browser; and visit the attacker’s site for further instructions and payments.

Then, Locky has emerged again this September 2017 with a new scheme.

Spam emails have been the nesting grounds of cyber-attacks for years. Its function to store URLs within emails have summoned different kinds of attacks like phishing and cyber fraud. It is now the core dissemination utility of ransomwares such as Locky.

The new spam email attack campaign involves crypto-locking Locky ransomware.

The attack campaign began Monday, 04 September 2017, as reported by cloud-based cybersecurity provider  AppRiver. Approximately, the attack included more than 23 million related spam emails sent in less than 24 hours, and is being run by one of the world’s biggest botnets, Necurs.

The spam looks like a Dropbox-Themed email.


Each message comes with a zip attachment that contains a Visual Basic Script (VBS) file that is nested inside a  secondary zip file. Once clicked, the VBS file initiates a downloader that reaches out to greatesthits.mygoldmusic.com to pull down the latest Locky ransomware. Locky goes to work encrypting all the files on the target system and appending [.]lukitus to the users now-encrypted files.

If a system becomes infected with this strain of Locky, crypto-locked files will have the extension “.lukitus” added, which is a Finnish word for “locking” or “locked.”

It is not clear how many people have been fallen victimized by the new Locky or Shade campaigns or have paid the demanded ransom.

There currently are no publicly shared methods to reverse this Locky strain.

To defend against ransomware attacks, it is recommended to use anti-malware software with updated signatures. Also keep, current backups of all systems, and store those backups offline, because many types of crypto-locking can encrypt files not just on hard drives, but also reachable via the network or cloud services.

For average computer users, it is always advised not to click on unrecognized emails and links, as well as to avoid browsing from untrusted websites. Be wary of suspicious of uninvited documents sent over an email and never click on links inside those documents unless verifying the source.


Manny Cuevas

My name is Manny Cuevas a Security Researcher / Engineer for about 15 years that focuses on Web and Mobile applications and other platforms from the Island of Sulu, Philippines. I’m also a scientist, inventor and a top ranked hacker in the world that bypass all security systems.


Leave a Reply

Your email address will not be published. Required fields are marked *