Lukitus, the latest Locky variant, is being pushed via massive malspam campaign

Lukitus, the latest Locky variant, is being pushed via massive malspam campaign snapshot

The distribution of Lukitus virus accelerates: criminals sent over 23 million malicious emails in less than 24 hours

Lukitus virus is known to be the most recent creation by Locky ransomware gang. The cyber criminals switched to this new extension shortly after releasing the Diablo6 ransomware that we described previously.

It seems that Lukitus developers are ready to invest much more time to spread this new ransomware version. On August 31st, malware analysts spotted a huge malspam campaign distributing the virus. According to experts, the criminal actors managed to send out over 23 million emails containing a virus in less than 24 hours.

Malicious spam emails deliver ZIP attachments with a Lukitus downloader script

Researchers from share their insights on themes used by Locky developers. The virus typically distributes emails containing a simply entitled ZIP attachment such as or

The message body might contain no text or a short phrase encouraging to view the attached file – “Download it here.” The criminals might add “Please print, “scans,” “images” or a similar word to the email subject.

However, downloading and extracting the attached ZIP archive will save a Visual Basic Script file on victim’s system. This file can be referred to as a malware downloader script. Unsuspecting victim is likely to launch this file as it came as a part of the email attachment.

This is a strict no if your want to prevent Lukitus ransomware attack. Once launched, the VBS file will connect to a malicious website, download and run ransomware on the computer.

Criminals use various themes for malware-laden emails

Locky authors are using several different themes to spread the malicious virus. We provided short summaries on how to identify malicious emails to prevent ransomware attack.

DropBox themed malspam

Typical Dropbox-themed emails contain a short message asking to “verify your email.” Clicking on the provided link takes the victim to a website that was previously compromised by hackers and now contains a malicious dropbox.html file in the home directory.

Clicking on a link can download a zipped Lukitus version and infect the system using the same manner as described earlier.

Malspam sending fake links to download faxes and voice messages

Criminals are also spreading the ransomware via emails with “FreeFax From:[random digits]” in the subject line. The message body contains a download link that leads to a compromised website with containing the fax.html file. Such links will download Fax_Message_[random digits].js file to user’s computer. To download and run Lukitus virus, the victim simply needs to open this JavaScript file.

Criminals are also sending “Voice Message from [digits]” emails with a link leading to the same URLs ending with fax.html.

Malspam pushing fake Microsoft Store E-invoices

Criminals also address Windows users with fake messages urging to download and open “official Microsoft Store invoice.” The subject of such messages is usually “Microsoft Store E-invoice for your order #[digits].” Opening the malicious link downloads MS_INV_[digits].7z file, which contains a VBS downloader script.