Comodo Threat Intelligence Labs discovered a new strand of ransomware that was used in email phishing campaigns in the beginning of August and is being used in a current hacking campaign.
The ransomware, named “IKARUSdilapidated” is part of the Locky ransomware family. During Aug. 9, 10, and 11, more than 62,000 users were targeted by a simple-looking email containing no content in the email body with just an attachment. The attachment appeared to be an archive file, with the name “E 2017-08-09 (580).vbs” where 580 is a number changing for each email and vbs is an extension which varies as well, according to Comodo Threat Intelligence Labs.
“There is a new campaign now spreading the same Locky ransomware malware,” said Fatih Orhan, vice president of Comodo Threat Intelligence Labs, on Aug. 21. “Since the campaign uses phishing email as the first infection point, government agencies as well as other organizations requiring high security policies are among direct targets. If they use signature based detection in their network security layers, their employees would receive this email. And it’s possible they get infected if the attachment is executed.”
The attached file names come in various forms including .doc, zip, pdf, or image file. If the attachment is clicked on, it will download “IKARUSdilapidated,” the new form of ransomware. According to Comodo Threat Intelligence Labs, 11,625 different IP addresses in 133 different countries are being used to perform this campaign.
“When artificial intelligence couldn’t identify these unknown files, the full resources of the lab were needed to analyze and identify the code in the file and render a verdict; in this case the verdict was ‘bad’ and we’ve now added it to our blacklist and malware signature list,” Orhan said.
Bad actors use social engineering is used to get the user to click on the infected file. After encryption, a message comes up on the user’s screen that instructs them to download the Tor browser, which allows for anonymous browsing, and to then visit a criminally-operated web site for further information. The web site contains instructions that demand a ransom payment of between 0.5 and 1 bitcoin to decrypt their files. The value of bitcoin varies, and is worth about $4000 as of Aug. 22.
Symantec, a company that specializes in cybersecurity and ransomware detection, always recommends that companies refrain from paying the fine when they’re affected by ransomware, because there’s no guarantee that hackers will give up the encryption key and the companies will need to rebuild their systems to protect their data anyway. Symantec recommends that companies and government organizations use security software, protect endpoints, and analyze the traffic going in and out of their networks in order to prevent ransomware from infecting their systems.