Locky Virus Continues Relying On Spam Campaign

Locky Virus Reemerges with a New Variant, Ykcol Ransomware

It is impossible to miss the news about Locky Ransomware because it keeps being resurrected from the dead again and again. While this infection stayed dormant for a big portion of this year, several different variants were unleashed. They are given the names based on the extensions that they add to the files they encrypt. Last year, we were dealing with .locky, .zepto, .odin, .shit, .thor, .aesir, .zzzzz, and .osiris variants. This year, we have seen .loptr, .diablo6, and .lukitus. The last one to join the family is the Ykcol Ransomware, and, naturally, this name comes from the “.ykcol” extension that is appended to the encrypted files. Unfortunately, this malware also renames files. The name of the file is always changed to a combination of 40 characters, and all files on the same system are given the same combination. This makes it very hard for the victim to assess the damage, and even if some of the files are backed up, it might be impossible to check which ones have backups. Unfortunately, none of the Locky variants can be deciphered, and the victims are likely to end up losing the encrypted files altogether.

Just like all other variants, Ykcol Ransomware is spread using mass spam email attacks. According to the researchers at Fortinet.com, there have been at least six different waves spreading the Ykcol variant. One of the waves has been seen imitating automated emails from a printer, which, of course, is targeted at companies and businesses rather than regular users. This trick has been employed before, and it was found that another ransomware – Jeff Ransomware – was spread using a spam email with the same email subject line, “Message from km_c224e.” As Ian Murphy at enterprisetimes.co.uk has found, this spam email tries to imitate a subject line that could be sent from the Konica Minolta C224e printer. Other subject lines representing the corrupted spam emails include: “HERBALIFE Order Number,” “Emailing,” “Your Payment,” “News voice message in mailbox from,” – all of which also attach combinations of 4-11 symbols that allegedly represent invoice/payment numbers – and “Status of invoice.” The malicious attachments always have “.7z” and “.rar” extensions. Needless to say, it is a good idea to be extremely cautious about emails with these or similar subject lines and 7z and RAR files.

The different waves of spam emails spreading Ykcol Ransomware have unique hosts appended with one Uniform Resource Identifier. It was also recently found that the malicious payload can be changed every few hours to spread a different threat, FakeGlobe, which is an imposter of the well-known Globe Ransomware. That means that the same corrupted spam email can be used for the distribution of two different file-encrypting infections. Both of them can encrypt files and demands huge ransom fees. The research of Ykcol Ransomware has revealed that the ransom demands are made via two files called “ykcol-[random symbols].htm” and “ykcol.bmp”. The latter one is an image file that takes over the Desktop background. Both files introduce the victim to a link to a page that reveals the ransom fee. When the infection was first discovered, it demanded a ransom of 0.25 BTC, which is around 1040 USD. Since then, the ransom fee has risen to 0.5 BTC (~2080 USD), but there have been reports suggesting that the fee might have risen even more. Right now, these demands are most likely to be introduced to users living in the United States, Germany, Japan, and Canada. At this point, there is no way of cracking the encryption cipher and freeing the files. Paying the ransom does not guarantee anything either, which is why victims are advised against following the instructions introduced to them.

Ykcol Ransomware is a serious threat, and there is not much that can be done once it slithers in and encrypts files. Even if the ransom is paid, there are absolutely no guarantees that a decryptor or a private key would become available. So, while there is little that can be done once the infection is executed, good defense is most important. Keeping files protected is crucial, and that can be taken care of with two simple steps. First of all, the files must be backed up. Relying on a system restore point is not recommended because many ransomware infections can delete shadow volume copies. It is best to utilize external backup systems, either cloud storage or removable drives. Without a doubt, victims of file encryptors should not hook up to their backups while malware is still active. Another step involves employing up-to-date security software. Without a doubt, exercising caution is crucial as well because if targeted users continue opening corrupted spam emails and opening malicious attachments, dangerous file-encrypting ransomware will continue to thrive.