Security researchers have discovered the sudden return of Locky ransomware, which had been largely dormant in 2017. Two new major versions of Locky being distributed via voluminous malspam campaigns. The first variant to emerge is a version called Diablo6, named after the .diablo6 file extension that it appends to encrypted files. A newer variant with similar behavior also made its apparition and this version appends the extension “.Lukitus” to affected files. Many of the spam emails have subject lines featuring simply a date and random number, with a minimalist message body that states: "Files attached. Thanks". However, researchers from security firm Fortinet found a more content-rich email sample with a subject line referencing a business document from a company, with a message claiming the attachment is an invoice for purchased goods.
In addition, the Diablo6 spam sample has an attached a zip file containing a VBS downloader script, which includes a URL from which the Locky ransomware executable is downloaded and subsequently executed. Fortinet also reported in its blog post that it found two unique hashes of Diablo6, which means that newly created samples are being pushed, possibly with different configurations, or simply as an attempt to evade specific file signatures. Diablo6's ransomwares note asks for .49 bitcoins or roughly $1,600,
Analysis have found that most of the Diablo6 spam has been distributed to countries such the U.S, Austria, Great Britain, Denmark and India.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street