NOTE: This blog post discusses active research by Webroot into an emerging threat. This information should be considered preliminary and will be updated as more data comes in.
New variants of Locky—Diablo and Lukitus—have surfaced from the ransomware family presumed by many to be dead. After rising to infamy as one of the first major forms of ransomware to achieve global success, Locky’s presence eventually faded. However, it appears this notorious attack is back with distribution through the Necurs botnet, one of the largest botnets in use today.
Webroot protects against Diablo and Lukitus
We first detected Diablo on August 9, 2017, and Lukitus yesterday, August 16. Since then, we’ve seen activity hitting Windows XP, Windows 7, and Windows 10 machines in the United States, United Kingdom, Italy, Sweden, China, Botswana, Russia, Netherlands, and Latvia.
How are these attacks deployed?
Once the Locky payload is dowloaded, it encrypts the users’ files with “.diablo6” and “.Lukitus”, respectively.
Then it changes the desktop background and provides the rescue pages “diablo6.htm” and “lukitus.htm”, which are identical.
Following what’s been standard for years, the Locky ransomware instructs the user to install a Tor Browser, then navigate to your unique .onion address to pay the ransom.
There is currently no available decryption tool that will work, other than paying the ransom to obtain the decryption keys. Although Webroot will stop this specific variant of Ransomware as a Service in real time—before any encryption takes place—don’t forget that the best protection in your anti-ransomware arsenal is a strong secure backup. You can use a cloud service or offline external storage, but remember to keep it up to date for personal productivity and business continuity.
For best practices for securing your environment against encrypting ransomware, see our community post.
Initial list of MD5s analyzed by Webroot
NOTE: This exhaustive list is current as of publication of this blog. We will continue to update internal lists but will not publish further additions until such time that we deem it necessary.