Double trouble: This ransomware campaign could infect your PC with two types of file-locking malware

Victims around the world hit by criminals who can switch the malicious payload of emails between Locky and FakeGlobal on a whim.
Written by Danny Palmer, Senior Writer

Victims of the campaign could find their systems infected with two types of ransomware.

Image: iStock

Being infected by one form of ransomware is bad enough, but those unfortunate to fall victim to a new cybercriminal campaign could find themselves having to pay to decrypt their files not once, but twice.

While a widespread email spam campaign with the intention of distributing ransomware isn't anything new, those behind a scheme detected during September have added a twist to this tried and testing technique: rotating the ransomware payload.

The two forms of ransomware distributed by this scheme are Locky - which has recently seen something of resurgence - and FakeGlobe, which first appeared in June. Those behind the campaign have designed it so the payload can be swapped, meaning the spam email might deliver Locky one hour then FakeGlobe the next.

Uncovered by cyber security researchers at Trend Micro, the nature of the campaign means it's possible for victims infected by one form of ransomware to still be vulnerable to a further attack from the next one in the rotation.

While it isn't the first time the same malicious servers has been seen to serve different malware in rotation - attackers have previously paired the likes of Trojans with ransomware - doubling up on ransomware was previously uncommon, but this new development is dangerous for victims who could give in and pay a ransom, only to find that they become infected again.

Hundreds of thousands of phishing emails disguised as bills and online invoices were distributed to potential victims around the world, encouraging the target to click on a link to view a bill.

See also: Locky ransomware: Why this menace keeps coming back | Ransomware: An executive guide to one of the biggest menaces on the web

That link contains a zip file which, once opened, runs a script to connect to a URL for downloading the ransomware payload - Locky or FakeGlobe.

Researchers believe that the payload changes every few hours, meaning that it's possible for one computer on a network to become infected with ransomware - and give into the ransom demand - before someone else on the network manages to fall victim to the other ransomware a few hours later.

"Since Locky and FakeGlobe are being pushed alternately, files can be re-encrypted with a different ransomware. Victims will have to pay twice or worse, lose their data permanently," said Trend Micro researchers.

While exact figures for the number of infections by this campaign aren't known, it's thought that using this distribution method to deliver ransomware in rotation has infected users in more than 70 countries, including Japan, China, the United States and Germany.

This latest development is stark reminders that while it's already a successful enterprise for criminals, ransomware is always evolving.

Since the campaign, Locky itself has evolved once again, with a researcher at Stormshield uncovering a new variant of the ransomware, Ykcol, which represents a reverse spelling of Locky. Previous new variants which have appeared in recent times include Diablo and Lukitus.


Editorial standards