Threatening news from Locky campus: Lukitus virus joined the dangerous ransomware family

Lukitus is actively spreading via malicious spam emails

Researchers have noticed a new wave of spam spreading Lukitus ransomware virus – a little brother of the infamous Locky. The new malicious program has been detected only a week after another Locky’s update – Diablo6.

Lukitus barely differs from the original version of the malware. It also uses a combination of RSA-2048 and AES-128 encryption algorithms and offers to purchase Locky Decrypter in order to get back access to the files.[1]

This time cyber criminals demand 0,49 Bitcoins for the right to use this mysterious decryption software. However, security experts agree that paying the ransom is never an option.[3] It might be the straightest way of wasting your money on an illegal project.

The key characteristics of Lukitus virus

The significant feature of the ransomware is appended file extension. Just like the name of the crypto-malware suggests, it appends .lukitus suffix to each of the 458 targeted files. Therefore, you should not expect that some of your documents, pictures or favorite songs survived the attack.

Apart from locking files with unbreakable cipher, the malware also renames files and causes chaos on the computer. Lukitus follows the specific scheme and changes file names using this slightly complicated formula:

[first 8 characters of ID]-[next 4 characters of ID]-[next 4 characters of ID]-[4 characters]-[12 characters].lukitus

Following data encryption, malware changes affected computer’s wallpaper with lukitus.bmp file. This picture includes a brief explanation about data encryption and urges to look up for more information in lukitus.htm file.

The ransom note includes detailed instructions on how to purchase Bitcoins and how to buy the decryption software. Developers of the infamous ransomware hope that victims pay about $2,000 for data recovery.

Unfortunately, there’s no other way to restore files encrypted by Lukitus or another variant of Locky. However, hacker’s offer is also shady and gives no guarantee that you will get a chance of decrypting your files.

Ransomware travels in ZIP and RAR files attached in spam emails

According to the latest data, more than thousand different emails spread Lukitus executable. Emails with infection typically have one of these subject lines:

  • < No Subject >
  • Emailing – < random characters>
  • PAYMENT

These messages have ZIP or RAR attachments that contain an obfuscated JS file. Once a person is tricked to open this file, malware is dropped and executed on the system.

Therefore, we want to remind to stay away from unknown emails that ask to check the information attached in archives or other safe-looking files. If you do not know the sender or do not expect to receive any documents, stay away from them because they are most likely to infect you with malware.[2]

Ugnius Kiguolis