This article is more than 1 year old

FireEye warns 'massive' ransomware campaign hits US, Japan hospitals

Locky ransomware running rampant, mounted on personalised phish

The dangerous and as-yet-undefeated Locky ransomware is being hurled at hospitals across the United States and Japan in a 'massive' number of attacks, according to FireEye researcher Ronghwa Chong.

Locky is a popular ransomware variant that will encrypt files in a way that forces users to pay ransoms or cut their losses and purge data.

This month the already increasingly hammered health sector is copping a massive spray of phishing attacks bearing the Locky ransomware

"Throughout August, FireEye Labs has observed a few massive email campaigns distributing Locky ransomware," Chong says.

"The campaigns have affected various industries, with the healthcare industry being hit the hardest based on our telemetry.

"The volume of Locky ransomware downloaders is increasing and the tools and techniques being used in campaigns are constantly changing."

Chong says the surge appears to have swapped payloads changing the Dridex trojan for Locky.

Malware shippers have shifted to DOCM format attachments away from Java to bundle up Locky, FireEye figures show, with a huge burst on 11 and 9 August, and a smaller but still large round of phishing on Monday.

Locky surge.

A massive spike in Locky phishing. Image: Supplied

Each email has a unique campaign code used to download Locky from a command and control server to victim machines, Chong says.

"These latest campaigns are a reminder that users must be cautious when it comes to opening attachments in emails or they run the risk of becoming infected and possibly disrupting business operations." Last month Locky claimed top spot for email-based malware in Q2, overtaking Dridex.

Security firm Proofpoint warns 69 per cent of email attacks that used malicious document attachments featured Locky ransomware in Q2, versus 24 percent in Q1.

That followed upgrades in Locky to allow it to use Pretty Good Privacy encryption to stop white hats peering into the communications traffic between victims and fleecers.

Locky is not only a tool of blackhats; security man Ivan Kwiatkowski used it to infect the computer of an Indian tech support scammer after they tried to fleece his parents. ®

More about


Send us news

Other stories you might like