New rotating Locky ransomware campaign can infect networks twice

The prolific malware strain that has pummeled the healthcare sector since 2016 is now being paired with another variant, allowing hackers to double-up their payload.
By Jessica Davis
01:06 PM
Locky ransomware

Researchers have spotted a new ransomware campaign in the wild doubling-up its attack vector by infecting its victims first with Locky and again with the malware variant FakeGlobe, according to a recent Trend Micro report.

Locky is one of the most prolific and successful ransomware variants, as its hackers continue to modify the virus to avoid being cracked. And healthcare is one of its biggest targets. FakeGlobe was discovered early this year and traditionally launches low-profile attacks by email.

[Also: HHS CISO: 3 things hospitals should do right now to strengthen cybersecurity]

Hackers are combining these variants to maximize ransoms. TrendMicro researchers said designed this recent campaign to swap the payload. Meaning, if a user clicks on the malicious link it would deliver one of the ransomware variants and again with the other strain soon after.

The campaign makes it possible for hackers to infect victims with one form of ransomware and make the organization vulnerable to another attack in the campaign’s rotation.

[Also: Slow breach detection, patching, operational snags handcuff healthcare security]

While rotating malware campaigns aren’t new, attacks normally pair a ransomware attack with a Trojan, for example. Doubling ransomware is uncommon, according to researchers. And this new campaign is particularly dangerous for victims who pay the initial ransomware and soon become infected again.

Researchers said this latest campaign uses highly sophisticated distribution methods and have impacted users in over 70 countries -- 7 percent of the victims were in the U.S. Trend Micro officials said researchers blocked as many as 298,000 spam emails and distribution peaked at 10 AM on Sept. 4.

Further, hackers are launching attacks to coincide with work hours, which is the most effective method for spam campaigns.

Like many ransomware campaigns, the recent method uses emails that appear valid with a malicious .zip file attached. Both the Locky and FakeGlobe lure victims with fake invoices. FakeGlobe features a support page to help victims pay the ransom.

A similar campaign distributing these rotating ransomware strains was noticed on Aug. 30. The hackers first used Locky on its own, but soon added FakeGlobe.

Twitter: @JessieFDavis
Email the writer: