Locky is a considerable security threat that is now widely spread.
The script above downloads and runs the cryptolocker.
From March 9th - March 14th, 163,746 of our users encountered a total of 208,000 emails with the Locky downloader.
In the graph below there is a noticeable drop during last weekend, but we expect this to increase again. From the graph we can also see a quarter of people saw more than one phishing email.
The Y axis shows the number of users and the X access the date in YYMMDD format.
New domains hosting Locky’s executable ransomware are created everyday and some of the domains are used other ransomware as well, for example the subdomains of spannflow are used as payment sites for TeslaCrypt, which makes us believe their is a close relationship between TeslaCrypt and Locky.
Ransomware attacks not only put data at risk, but can also costs victims a lot of money and stress. Locky’s ransom demand starts at 0,5 bitcoin, which is about $200. We expect that around 10% of people confronted with ransomware pay to get a decryption key.
An example of a Locky phishing email
Map showing which regions Locky is targeting.
We can only speculate that Japan, France and the USA are being targeted the most, because they are wealthy countries.
Avaddon ransomware group targeted Asia-based insurer AXA with DDoS attacks and ransomware just a week after the insurance company announced it was dropping support for ransomware payments in France.
Security experts analyze the newest ransomware threat that is currently locking up systems around the world.