Locky Ransomware disguises as a document scanned with Konica Minolta C224e

Delaware, USA – October 09, 2017 – For more than two weeks, Locky has been distributed by the Necrus botnet through emails with the subject “Status of invoice” and attached 7z archive containing a malicious VBS script. Encrypted files are assigned the .ykcol extension; this may be a reference to the same named virus that is distributed with installation packages that are downloaded from the Internet. Recently, researchers from the Comodo company found that some of the malicious emails are disguised as documents scanned using the common model of the multifunctional device Konica Minolta C224e. Emails indicate the subject “Message from KM_C224e”. This variant of the virus also assigns the .ykcol extension to the encrypted files but requires a larger ransom payment for decryption (0.5 – 1 bitcoin). With such disguise, this Locky strain can bypass security solutions that use machine learning, and convince employees to run a malicious script. The script itself loads and launches a malicious download, so antiviruses may not react to it. The attack is directed against the Americas, Europe, Australia, India and Southeast Asia.

Adversaries continue to adapt their strategy and successfully bypass the traditional security solutions. You can leverage Ransomware Hunter use case for the most popular SIEM tools, to automatically detect and alert administrators about the threat.