Locky Ransomware Makes a Comeback with New .Diablo6 and .Lukitus Variants
Old threats die hard it seems as Locky ransomware, one of the most powerful threats out there, is back in town. Historically, we’ve seen this ransomware do serious damage, as it has rapidly adapted its capabilities to keep victims and security researchers bewildered. Now, it’s evolved with two new forms to become even more stealthy and advanced.
First, let’s back up – where did Locky get its start? Locky was discovered in late 2015 and has been one of the most prevalent ransomware threats to date, contending with the likes of Cerber, Petya, Spora, and WannaCry. In 2016, Locky hit its stride – infecting millions of users worldwide primarily through malicious attachments in spam emails. To become more agile, the malware changed what extension is appended to encrypted files and utilized the .locky, .zepto, and .odin extensions across unique instances. Fast forward to 2017 and the stealthy ransomware is back on the scene—equipped with two variants that leverage either the .Diablo6 or .Lukitus extension for encrypting files.
What do these .Diablo6 and .Lukitus variants look like? Both variants are distributed via spam emails, though this particular campaign sends them in the form of PDF attachments with embedded .DOCM files. They’re also spread through the Necurs botnet, which Locky used in the past.
Beyond utilizing the Necurs botnet, both variants do carry some other callbacks to older versions Locky. All variants (old and new) contain a flag in the code that checks if the language of the Windows operating system is Russian and will not run and encrypt victims’ files if so. This is most likely because the majority of Locky attacks are originating from Russia, as exemplified in this map below.

Given both .Diablo6 and .Lukitus are demanding a ransom of .49 BTC (roughly $1,900.00) for the decryption key to unlock the infected files and those behind Locky have yet to be identified, the next question is – what can users do to stay secure?
Start with education. Since the latest two variants of Locky come in the form of spam email with zip or rar attachments, it’s important everyone is trained on how to deal with suspicious emails. Additionally, be sure to back up your data often in case you need to wipe your device clean after an attack. You can do this by utilizing a backup drive or by backing up to the cloud. This way, you can easily retrieve your important information without paying a ransom.
Stay up-to-date on Locky ransomware and others like it by following @McAfee and @McAfee_Business.
The post Locky Ransomware Makes a Comeback with New .Diablo6 and .Lukitus Variants appeared first on McAfee Blogs.
Read more: Locky Ransomware Makes a Comeback with New .Diablo6 and .Lukitus Variants
More antivirus and malware news?
- Vulnerable Services Emulator Released for Metasploit
- Microsoft Chief Says EU ‘Most Influential’ on Tech Rules
- Facebook owns up – admits network breached, blames "Java in the browser"
- Affected by a Data Breach? Here Are Security Steps You Should Take
- Hillary Clinton sent classified information via personal email
- WhatsApp Vulnerability Could Facilitate Remote Code Execution
- Betabot – An Example of Cheap Modern Malware Sophistication
- Chip card fight may lead to new security measures
- Oracle and Apple update Java – zapping browser Java would already have blocked 92.5% of the risk
- Here’s What Tor’s Data Looks Like as It Flows Around the World