Locky Ransomware Attacks Ramp Up

Share this…

***UPDATE*** In the past 24 hours we have seen over 23 million messages sent in this attack, making it one of the largest malware campaigns that we have seen in the latter half of 2017.

Malicious email campaign

As many US workers were arriving to their offices, a massive malicious email campaign began attempting to reach their inboxes. A large spike in malware traffic began this morning just after 7 am CST. The emails were extremely vague in nature as you can see:


The emails utilized one of the following subject lines:

  • please print
  • documents
  • photo
  • images
  • scans
  • pictures

Each message comes with a ZIP attachment that contains a Visual Basic Script (VBS) file that is nested inside a secondary ZIP file. Once clicked, VBS file initiates a downloader that reaches out to greatesthits[dot]mygoldmusic[dotcom] to pull down the latest Locky Ransomware. Locky goes to work encrypting all the files on the target system and appending [.]lukitus to the users now encrypted files.

Once all the victim’s files have been encrypted the attackers leave decryption instructions by changing the desktop background to an image with instructions as well as a HTM file on the desktop aptly named “Lukitus[dot]htm”.


The victim is instructed to install the TOR browser and is provided an .onion(aka Darkweb) site to process payment of .5 Bitcoins, which currently amounts to an eye popping $2,150. Once the ransom payment is made the attackers promise a re-direct to the decryption service. Here’s a look at that page:


This email campaign still is coming in large volumes, and AppRiver already has quarantined more than 5.6 million of these messages since this morning.

There currently are no publicly shared methods to reverse this Locky strain. Fortunately, we had this particular Ransomware attack blocked from the onset so all of our SecureTide and SecureSurf customers were protected from this campaign.