{"id":22041,"date":"2017-08-17T12:16:56","date_gmt":"2017-08-17T18:16:56","guid":{"rendered":"https://www.webroot.com/blog/?p=22041"},"modified":"2019-03-25T17:02:51","modified_gmt":"2019-03-25T23:02:51","slug":"locky-ransomware-resurges-diablo-lukitus","status":"publish","type":"post","link":"https://www.webroot.com/blog/2017\/08\/17\/locky-ransomware-resurges-diablo-lukitus\/","title":{"rendered":"Locky ransomware rises from the crypt with new Lukitus and Diablo variants"},"content":{"rendered":"

NOTE:<\/strong> This blog post discusses active research by Webroot into an emerging threat. This information should be considered preliminary and will be updated as more data comes in.<\/em><\/p>\n

New variants of Locky\u2014Diablo and Lukitus\u2014have surfaced from the ransomware family presumed by many to be dead. After rising to infamy as one of the first major forms of ransomware to achieve global success, Locky\u2019s presence eventually faded. However, it appears this notorious attack is back with distribution through the Necurs botnet, one of the largest botnets in use today.<\/p>\n

Webroot protects against Diablo and Lukitus<\/strong><\/h2>\n

We first detected Diablo on August 9, 2017, and Lukitus yesterday, August 16. Since then, we\u2019ve seen activity hitting Windows XP, Windows 7, and Windows 10 machines in the United States, United Kingdom, Italy, Sweden, China, Botswana, Russia, Netherlands, and Latvia.<\/p>\n

How are these attacks deployed?<\/h2>\n

\"\"<\/p>\n

 <\/p>\n

As with previous versions, the initial attack vector is through malspam campaigns in which phishing emails contain a zipped attachment with malicious javascript that downloads the Locky payload.<\/p>\n

 <\/p>\n

\"\"<\/p>\n

 <\/p>\n

Once the Locky payload is dowloaded, it encrypts the users\u2019 files with \u201c.diablo6\u201d and \u201c.Lukitus\u201d, respectively.<\/p>\n

 <\/p>\n

\"\"<\/p>\n

 <\/p>\n

Then it changes the desktop background and provides the rescue pages \u201cdiablo6.htm\u201d and \u201clukitus.htm\u201d, which are identical.<\/p>\n

 <\/p>\n

\"\"<\/p>\n

 <\/p>\n

Following what\u2019s been standard for years, the Locky ransomware instructs the user to install a Tor Browser, then navigate to your unique .onion address to pay the ransom.<\/p>\n

 <\/p>\n

\"\"<\/p>\n

 <\/p>\n

There is currently no available decryption tool that will work, other than paying the ransom to obtain the decryption keys. Although Webroot will stop this specific variant of Ransomware as a Service in real time\u2014before any encryption takes place\u2014don\u2019t forget that the best protection in your anti-ransomware arsenal is a strong secure backup. You can use a cloud service or offline external storage, but remember to keep it up to date for personal productivity and business continuity.<\/p>\n

For best practices for securing your environment against encrypting ransomware, see our community post<\/a>.<\/p>\n

Initial list of MD5s analyzed by Webroot<\/h3>\n

NOTE:<\/strong> This exhaustive list is current as of publication of this blog. We will continue to update internal lists but will not publish further additions until such time that we deem it necessary.<\/em><\/p>\n

 <\/p>\n

2E1A3A5F24AA6D725405E009949E6F0B<\/p>\n

7821C8F49773EC65B9DFE8921693B130<\/p>\n

544BC1C6ECD95D89D96B5E75C3121FEA<\/p>\n

A2AEC1429D045355098355CAA371F23E<\/p>\n

4779E473C909104272853EA1313BEE37<\/p>\n

D7D22FFB1E746C20828422DA5CDF93DA<\/p>\n

5245A7FA2351212EBF8257C55536791D<\/p>\n

FE1CBC72C53AE7D8D16A5C943B5769FC<\/p>\n

EA1832B7539BE8F265C08C0075CCB4DE<\/p>\n

ACEA79268714A4752E3BF22161B90471<\/p>\n

4BAA57A08C90B78D16C634C22385A748<\/p>\n

0816080383AB3F33FEB9B6B51E854C73<\/p>\n

0E05A7B9F1F2A19B678D2D92ABF70E47<\/p>\n

F83DDED266CA056804BCC60EB998FA6C<\/p>\n

4938F1D87F52473BC13C88498D6FC7AF<\/p>\n

4BAA57A08C90B78D16C634C22385A748<\/p>\n

F83DDED266CA056804BCC60EB998FA6C<\/p>\n

8009E4433AAD21916A7761D374EE2BE9<\/p>\n

E7E5628F67CB2FA99A829C5A044226A4<\/p>\n

4BAA57A08C90B78D16C634C22385A748<\/p>\n

3506AB24DB711CF76F95F89B4990981A<\/p>\n

ECDAFEF0E38D2B5F24B806AF4FD54CC6<\/p>\n

89ED8780CAE257293F610817D6BF1A2E<\/p>\n

E613CF78955A4C1D8732B0ECB202CAEC<\/p>\n

45021A1A159DEA9952AD3494B8D49852<\/p>\n

993608B9AEA2B351E4BA883FEE8916B0<\/p>\n

FBE9106026AF42CD24AB970ED718A579<\/p>\n

23CCA546A85B5CAA12441F7F4C6B48E4<\/p>\n

01DA2F592A64F2ABA0986319436177A5<\/p>\n

96E214BAF7F26B879BAF0D87D830F916<\/p>\n

040C537F575ED64374AB7F38F27E03F1<\/p>\n

D3C856485116A09CAA37D867561BD634<\/p>\n

BA82AA75BF6FC2549049877ACE505A24<\/p>\n

9C6F2921CE536393198C605C15AE8C91<\/p>\n

941CDFF8A86E56D11FCAF25CF7C2129B<\/p>\n","protected":false},"excerpt":{"rendered":"

NOTE: This blog post discusses active research by Webroot into an emerging threat. This information should be considered preliminary and will be updated as more data comes in. New variants of Locky\u2014Diablo and Lukitus\u2014have surfaced from the ransomware family presumed by many to be dead. After rising to infamy as one of the first major […]<\/p>\n","protected":false},"author":21,"featured_media":22055,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[21283,3563,21285,4321,18645,21281,21117,4401,6329,6325,6327,9645,8205,13969,5423,3937,3947,9639,3525,3951],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/22041"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=22041"}],"version-history":[{"count":14,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/22041\/revisions"}],"predecessor-version":[{"id":27621,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/22041\/revisions\/27621"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/22055"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=22041"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=22041"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=22041"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=22041"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}