New Locky Ransomware Attack Affecting Millions

There is a new Locky variant ransomware attack that is hitting at a steady rate of 2 million attacks an hour. Hackers are using 8,000 different versions of a widespread virus script, according to researchers from Barracuda Networks Inc. There were 20 million of these attacks within the first 24 hours after it was launched Tuesday morning. The magnitude of this attack is significant – growing rapidly and proving to be highly
destructive. The target: businesses or institutional
groups in the US and Canada.

How to Detect It:

The attacks are mainly coming through via email. Early on, emails from the campaign were a ‘Herbalife’ branded email or a generic email impersonating a ‘copier’ file delivery:

The latest variants include:

  • Email with ‘Emailing – <attachment name>.’ as the subject line. One example was:

  • Email with a paragraph about legalese to make it seem legitimate.
  • Email with “payment is attached” in the subject line to entice people to click on it.

How This Locky is Different:

While widespread email phishing campaigns that, when successful, distribute ransomware is nothing new, these attackers have added a twist by rotating the ransomware payload.  Barracuda’s post stated that “these attacks are being automatically generated using a template that randomizes parts of the files. The names of payload files and the domains used for downloading secondary payloads have been changing in order to stay ahead of anti-virus engines.”

The two forms of ransomware being distributed are Locky – which has recently resurged – and FakeGlobe, which first appeared in June of this year. Those behind the campaign have designed it so the payload can be swapped – the spam email might deliver Locky one hour then FakeGlobe the next. Typically, we see a form of ransomware paired with a virus such as Trojan. In this case, we are seeing ransomware paired with ransomware, leading to a bigger payday for those behind the scheme.

They also noted that the Locky variant has a single identifier. This means that even if victims pay the ransom, they will not receive a decryption key. Instead, once Locky is installed, it then installs FakeGlobe. In that case, victims could be forced to pay up for both infections.

Who is Perpetrating the Hack?

Due to the hacker’s motives, it’s unlikely that a nation-state is behind the hack. Instead, we suspect the perpetrators are a small, sophisticated group of criminals. The attacks are originating in Vietnam for the most part, but also in India, Colombia, Turkey, Greece, and a few other countries.

The Future of Global Hacks:

While the messages from these hackers are all in English, Barracuda noticed that the virus programs are checking victims’ computers for language files. They concluded that “this may lead to an internationalized version of this attack in the future.”


Please let your staff know about this new an ongoing ransomware attack and ensure they are being extra careful not to click on email links unless they are 110% certain the email is valid. If in doubt, call the sender to see if they actually left the message. Also, make sure everything is backed up properly.


We are following news of this threat and will provide updates as they are available.

See also:

How to Spot a Phishing Email

New Link-Bait Phishing Tactic