The malware that won't die: Is Locky reclaiming its title as king of ransomware?

Once by far the most common form of ransomware, Locky ransomware is now on the rise again.
Written by Danny Palmer, Senior Writer

Ransomware is one of the top cyber threats to organisations.

Image: iStock

Not so long ago it was thought to be dead, but now Locky ransomware is back as one of the most commonly distributed forms of malware.

Locky attacks have been on the rise since August, but Check Point Software's monthly global malware index has highlighted just how common it has become. During September, Locky was the second most commonly attempted form of malware attack across the globe.

It represents a sudden revival as in August Locky was far down the list of malware attacks, ranking at 27 in the index and it represents the first time this form of ransomware has been in the top ten most common attacks since November last year.

Shortly after that Locky suddenly dropped off significantly, but it has never truly disappeared, with small bursts of activity in the first half of 2017 before resuming major email spam distribution campaigns towards the end of the summer.

Locky has been continually evolving since them, with new variants appearing at regular intervals.

According to Check Point, the number one form of malicious software distributed in September was RoughTed, a malvertising operation used to spread scams, adware, exploit kits and ransomware.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

Meanwhile, it's another form of ransomware which slips in behind Locky as the third most common form of malware. GlobeImposter is a copy of Globe ransomware which is distributed by spam campaigns, malvertising and exploit kits.

Locky and GlobeImposter are just two forms of ransomware, but their ranking in the report - based on detections blocked by security software - indicates that ransomware is a dangerous threat.

"If any organizations were still in doubt about the seriousness of the ransomware threat, these statistics should make them think twice," added Maya Horowitz, threat intelligence group manager at Check Point.

"All it takes is for a single employee to be taken in by a social engineering trick, and organizations can be placed in a hugely compromising position".

Indeed, while Check Point ranks Locky as the most common form of ransomware attacking organisations in September, it's still Cerber which remains the most prolific form of ransomware for the quarter.

Cerber usurped Locky's position as king of ransomware earlier this year and it's remained top dog ever since. Indeed, Malwarebytes' latest cybercrime and techniques report lists Cerber as the most distributed ransomware threat of the quarter, accounting for 12 percent of all payloads during the quarter.

However, Locky isn't far behind, accounting for 10 percent of payloads during the period. If the revival of Locky continues at is current pace, it might not be long before we see it back at the top of the ransomware pile - almost two years on from when it first started causing problems.

With no Locky decryption tool available, organisations will need to ensure they do all they can to stop getting infected in the first place - instead of paying a big ransom to criminals.


    Editorial standards