The specialists of the two IB-companies independently discovered large-scale malicious campaigns for the distribution of two different, completely new samples of the once-popular cybercriminals of the extortion software Locky.

According to researchers from AppRiver, August 28 this year for 24 hours, users in the US received 23 million malicious emails. This campaign is one of the largest in the second half of 2017. In order to deceive users, the attackers indicated such words as "documents", "please print," "photos", "scans", "images" and "pictures" in the subject of phishing emails..

Phishing emails contained a malicious ZIP archive with a VBS file. When the user opened it, the VBS file started the boot loader, which in turn downloaded a new version of Locky called Lukitus. The malware encrypted all the files on the infected computer, adding to them an extension. Lukitus. A notification appeared on the screen with instructions for installing the Tor browser. After installing the browser, the victim had to go to the website of the criminals and get further instructions on how to pay the ransom for decrypting their files. The size of the redemption was 0.5 bitkoyna (about $ 2.3 thousand.

Currently, there is no tool for recovering files without payment of redemption.

Researchers from Comodo Labs discovered another large-scale campaign that took place in early August. For three days, attackers sent 62 thousand. Spam emails that distribute a new Locky version called IKARUSdilapidated. The letters were sent out with 11,625 IP addresses in 133 countries, which clearly indicates the use of the botnet. For the restoration of files encryptor required from 0.5 to 1 bitkoyna.