A new wave of Locky ransomware attacks has been discovered in what security researchers are describing as one of the largest ransomware-spreading spoofed email address campaigns this year.

Initially detected by Comodo Threat Intelligence Lab Aug. 9, the attack ramped up this week. Security firm AppRiver claimed to have seen 23 million emails sent as part of the campaign in one 24-hour period alone.

The first wave of attacks involved the use of a new Locky variant duped IKARUSdilapidated. It’s spread via a botnet of zombie computers that sends emails appearing to be from an organization’s scanner or printer or other legitimate source. In contrast to the first IKARUSdilapidated Locky campaign, which distributed malware with the “.diablo” extension and a Visual Basic Script (with a “.vbs” extension), a second wave included “interesting variations to fool users with social engineering and to fool security administrators and their machine learning algorithms and signature-based tools.”

“This follow-up ransomware phishing attack… showed us how dedicated they are at getting better at these types of attacks.” Fatih Orhan, head of the Comodo Threat Intelligence Lab and Comodo Threat Research Labs, said in an email sent to SiliconANGLE.  “Another more targeted variant coming just three days later confirms their capability to scale up and to plan and execute multiple targeted campaigns. When machine learning algorithms and artificial intelligence couldn’t identify these new unknown malware files, the default deny posture with containerization of unknown files was critical to protect customers.”

Locky, like other forms of ransomware, encrypts files and demands that victims pay a ransom to have their files decrypted. The ransom in the latest Locky attacks demands a payment of 0.5 bitcoin ($2,400) and provides instructions on how to acquire bitcoin to make the payment.

Noting that all that is old is new again, Webroot Inc. Senior Threat Research Analyst Tyler Moffitt told SiliconANGLE that although Locky was the No. 1 ransomware infection used by cybercriminals in 2016, the numbers had dropped off by the holiday season. Moffitt noted that Locky campaigns returned in April, but only in small numbers — until now. “August has seen a huge revamp with the necurs botnet and millions of spam emails have been sent to victims all around the world.”

Interestingly, Webroot has detected that in its monitoring of the spread of Locky, one form of the campaign employs old tactics. “The attack vector remains pretty much the same with phishing emails [posing as the] local post office that you’ve missed a package and have to download and view ‘tracking attachment,’” Moffitt said.

Photo: christiaancolen/Flickr