Locky is a considerable security threat that is now widely spread.
The script above downloads and runs the cryptolocker.
From March 9th - March 14th, 163,746 of our users encountered a total of 208,000 emails with the Locky downloader.
In the graph below there is a noticeable drop during last weekend, but we expect this to increase again. From the graph we can also see a quarter of people saw more than one phishing email.
The Y axis shows the number of users and the X access the date in YYMMDD format.
New domains hosting Locky’s executable ransomware are created everyday and some of the domains are used other ransomware as well, for example the subdomains of spannflow are used as payment sites for TeslaCrypt, which makes us believe their is a close relationship between TeslaCrypt and Locky.
Ransomware attacks not only put data at risk, but can also costs victims a lot of money and stress. Locky’s ransom demand starts at 0,5 bitcoin, which is about $200. We expect that around 10% of people confronted with ransomware pay to get a decryption key.
An example of a Locky phishing email
Map showing which regions Locky is targeting.
We can only speculate that Japan, France and the USA are being targeted the most, because they are wealthy countries.
Our Aposemat Team has been testing the capabilities of IPv6 and how malware could take advantage of it. One of the topics explored was exfiltration of data via the IPv6 protocol, which we discuss in this post.
Popular banking services, including PayPal, Revolut and Venmo, allow users to request money from others with a few easy steps. Although simple, this functionality could increase the likelihood of related spearphishing attacks.