A new variant of the infamous Locky ransomware has been detected in the wild rapidly infecting computers in a massive new phishing campaign, according to newly published research.

Barracuda Networks Inc. made the initial discovery, saying in a blog post that it has seen roughly 20 million of attacks using the new Locky variant as of Tuesday and that the number continues to grow.

Making this attack exotic, the new Locky variant spawns to some extent: Once installed, in some cases it then installs a different form of malware known as FakeGlobe. According to Trend Micro Inc., FakeGlobe is a form of ransomware that encrypts different files to that of Locky, meaning that potentially victims could be forced to pay up for both infections.

The attack vector for the new Locky campaign has primarily consisted of emails coming out of Vietnam with the messages claiming to be from Herbalife Ltd. and that products needed to be delivered to the targeted victim. However, later variations on the phishing campaign included more simplistic messages such as “Emailing 10008009158” with the ransomware included as a file attachment.

“This kind of attack was inevitable,” Barry Shteiman, director of threat research and innovation at security firm Exabeam Inc., told SiliconANGLE. When criminal organizations see that some people pay the ransom, he said, they realize that if they run a bigger campaign, they can get more people to pay.

“The magnitude of this attack is significant, which in reality is based on the financial opportunity,” Shteiman added. “In order for analysts to detect ransomware early enough in the ransomware lifecycle to stop it, they need to understand the business models used by ransomware network operators, the kill chain of a ransomware attack and how to detect and disrupt ransomware in corporate environments. Armed with this information, analysts should be able to react faster in the event their organization is hit with a ransomware infection.”

Extrapolating on the seriousness of the new Locky ransomware campaign, CYBRIC Inc. Chief Technology Officer Mike Kail told SiliconANGLE that more needs to be done in terms of education. “We need to continue to build awareness around not blindly clicking on links and I hope that the major email providers can continue to assist in marking these suspicious messages. System and application maintenance and hygiene is always a best practice, but updates are often behind the latest attack signatures and thus not very useful.”

Photo: christiaancolen/Flickr