Comodo Threat Intelligence has identified a second wave of IKARUSdilapidated Locky ransomware attacks. This is the second time this month that Comodo has detected attacks by this Locky ransomware variant. The details of the attacks have now been made public.
IKARUSdilapidated using fake scanned files
This second wave of attacks are being launched by a botnet of zombie computers. There are two separate attacks separated by a period of three days.
The first attacks uses phishing emails. These typically come from friends or work colleagues. This latest attack adds a new vector to phishing attacks. It sends the victim an email purporting to be a scanned image from a company scanner/printer. The attached file is in a compressed RAR file claiming to contain a PDF document. Instead it contains a malware attack that encrypts all the files on the local machine. This set of attacks lasted for just 17 hours and started on the 18th August.
Researchers discovered that almost 30% of the IP addresses used in the scanned image attack were used in the earlier attack. This occurred between 9th-11th August and used computers based in Vietnam, Turkey, India and Mexico. Interestingly, the researchers go as far as naming some of the ISPs that were co-opted in the attack. They claim that despite the sophistication of the attacks the ISPs had inadequate cyber-defenses saying: “Considering some of the computers taken over in early August were Internet Service Providers (ISPs), it is a bit surprising that the vulnerabilities were not addressed in the week+ since the first attack and botnet takeover.”
Security vendors rarely use this level of language against ISPs. It suggests that there is more to the research than has been made public.
A second attack targets French speakers
Three days after the scanned image attack, another set of attacks was targeted at French speakers. It purported to be from the French Post Office with a subject line of Facture. These attacks started on 21st August and lastest for 15 hours. The attacks also came from a laposte.net email address which is the domain used by a French post office company. It gives the attacks an air of authenticity.
As with the attacks three days earlier, the attack contains a compressed attachment.
In this case just 17% of the attacks came from the same set of IP addresses that were used in the attack earlier in August.
Both of these attacks use different file extensions to the previous wave of attacks. The encrypted documents have an extension of “.lukitus.” The scanned document contains a .vbs file and the second a .js file.
A wide spread of launch points
The attacks were sent from machines around the world. The heat maps showing where the zombie computers are located show three distinct zones. The first is a line from the UK through Turkey and on to Indonesia. The second zone is concentrated around central and southern Africa. The last zone is mainly the south west United States and down through South America.
This is a very diverse set of launch points. Of particular interest is the extremely small number of IP addresses in Russia and China. This is unusual and potentially worthy of further investigation. A number of the attacks come from countries that are regularly listed as sources of spam and botnets. Any emails from these countries should be filtered out by security software but it appears that is not the case here.
The appendices also list all the sites and domains from which the zombie computers come. This also creates some interest. The overlap with the earlier attacks at the beginning of August by this ransomware is also surprising. It shows that the process of cleaning up infected computers takes time. It is not just enterprises and individuals who are slow to clean computers. The Comodo researchers have chosen to name and shame ISPs who have also failed to clean up and protect machines.
What does this mean?
It is unusual to see two separate waves of an attack in a single month. It is even more unusual to see each wave broken into two separate attacks separated by a few days. The authors of IKARUSdilapidated clearly have a reason for this but it is not yet evident what that is.
The two separate sets of attacks also share some interesting overlap in terms of the botnets used. However, that overlap doesn’t seem to include countries that would be seen as trusted.
These attacks also show a fast rate of evolution. Multiple attack vectors, changing file extensions and a focus on specific groups shows a lot of planning. What is not clear from this research is how effective these attacks have been. We don’t have numbers yet on how many people were infected, how many paid and how many subsequently received unlock keys.
IT organisations need to tighten up their email security to address these attacks using the data provided by Comodo.