The hackers behind Locky ransomware launched a massive email campaign on Aug. 28, with over 23 million infected emails sent in a 24-hour period, researchers at AppRiver found.
While Locky at one point was thought to be nearly extinct, the virus has continued to pummel all sectors in 2017. It’s one of the most successful ransomware strains launched, as it continues to evolve to evade attempts to crack its code.
Healthcare has been one of Locky’s biggest targets, with hackers launching a massive attack on the industry in August 2016.
[Join Your Peers at HIMSS’ Healthcare Security Forum! Register Today]
This most recent campaign saw a spike in delivery just as employees were arriving to work on Monday morning. Researchers said the emails were sent with vague messages, such as ‘documents,’ ‘please print,’ and ‘scans,’ and designed to proliferate in the wild.
The emails are sent with a ZIP attachment, equipped with a Visual Basic Script file nested in a second ZIP file. Once opened, researchers said the VBS file starts the downloader to install the latest Locky ransomware.
[Also: It's not just WannaCry: Locky is targeting hospitals on outdated Windows platforms]
The latest version uses Diablo and Lukitus variants that communicate with a different command and control server than those used in past campaigns.
While the delivery method is not complex, it would only take a handful of users to open the malicious emails for hackers to reap a profit. Researchers said in this most recent campaign, the hackers are asking for up to 0.5 Bitcoins, or $2,300 to decrypt files.
The attacker also provides its victims with instructions for how to download and install the Tor browser that will allow the user to buy Bitcoin.
[Also: New ransomware strain targeting healthcare]
Both the FBI and the U.S. Department of Health and Human Services have repeatedly warned organizations not to pay the ransom, as there’s no guarantee the payment will release the files, and it only funds future attacks.
Further, according to CynergisTek CEO Mac McMillan, criminals on the dark web talk to each other. Once an organization pays to regain access, it’s marked on the dark web as a victim that will pay and added to existing lists.
Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com