Locky And FakeGlobe Ransomware Duo Seeks Maximum Damage Spread Via Global Spam Campaign

TrendMicro has published a report that claims that a "sizable" spam campaign is underway and other than just having a bunch of unwanted email to contend with, the spam campaign is also pushing ransomware. The spam campaign is said to be distributing the latest variant of Locky, which is the ransomware that invaded LinkedIn back in November of last year via bogus leads. 


The security firm says that it has looked at samples of these recent spam campaigns and has found that criminals are using some sophisticated distribution methods to affect users in over 70 countries. Along with Locky, the spammers are also distributing another ransomware program called FakeGlobe and that the two programs are being rotated. 

In these spam campaigns, when the user clicks on a link from the spam email, Locky could be distributed one hour and then FakeGlobe might be sent to the same user the next hour. This means that a person is more likely to get reinfected thanks to the dueling banjos nature of the two separate ransomware programs.

spam camp

In these recent spam campaigns, most of the users who were affected are in Japan, China, and the US. TrendMicro reports that 46% of the spam was sent to over 70 other countries with distribution peaking on September 4, 2017 at 4pm. The spam emails that users are receiving have a link and an attachment; the attachment is a .7z (7-zip) rather than a .zip file. The emails are disguised as invoices or bills that are targeting the user. Clicking the link in the email downloads an archive that is similar to the attachment, but they connect to different URLs according to TrendMicro.

The FakeGlobe variant also downloads in a similar method and uses fake invoices to lure people to click attachments and links. The ransomware does have a support page to help the victims pay the ransom to unlock their files. TrendMicro also warns of other spam campaigns with one of them using a DOC attachment that tries to trick users into enabling Macros to distribute a malicious payload. This campaign is also rotating Locky and FakeGlobe.

Top image source: medithIT/flickr