New versions of Locky and Mamba viruses-encoders – users are in trouble
Diablo6 is a new version of Locky ransomware
In 2016, Locky ransomware attacked thousands of users by sending phishing emails. The users, in their turn, clicked on the attachment of such emails, and, as a result, a virus was activated, then it encrypted all files on a computer and demanded a ransom in bitcoins. The virus then returned again – its new versions were distributed with the help of Necurs and Dridex botnets.
This time, the researchers revealed a spamming, the main aim of which is to distribute a new version of Locky called Diablo6. These emails were spread to users over different parts of the world, and the USA suffers the most, Austria is in the second place, taking into account the numbers of devices being attacked.
The independent researcher under the nickname Racco42 was the first person who discovered the new attacks of a virus. He said that this ransomware encrypts all files on a hard drive, adding .diablo6 extension to them. The victim receives this virus when opening a Word document that in fact, a phishing scam letter. The VBS Downloader script activates after clicking on the attachment. The virus encrypts the files, using RSA-2048 key, then the victim will see a message that contains information about how to download Tor browser. This browser, as it is written in a message, will help you to get in touch with the developers of this virus for getting more information about a ransom payment, which equals to 0,49 bitcoins (more than $2100 for unlocking).
A special tool for unlocking files on Diablo6-infected computers isn’t available nowadays, that’s why the users must be careful when opening different kinds of email attachments.
Mamba encoder comes back
One more ransomware returns – it has attacked both a single user and large enterprises, actually. The previous year Mamba ransomware – that encrypts not only certain files, but the whole drive – infected computers of San-Francisco Municipal Railway. This infection caused large-scale disruptions in a traffic, and breakdowns of ticket purchasing machines at some stations.
The corporate networks of different companies in different countries were under attack this time. The most infections took place in Brazil and Saudi Arabia. Mamba uses a legitimate open software to encrypt the disks of Windows-computers called DiskCryptor. This tool makes use of strong encryption algorithms, so there is no way to decrypt disks of Mamba-attacked computers.
The researchers suggest that the virus takes root into corporate networks by sending phishing emails with malicious attachments, or by using compromised and fake sites containing exploits. The virus encrypts the disk, then a message with the email address to which you should write for instructions on unlocking will be displayed.
Tips for protection against viruses-encoders
You need to follow simple security principles to prevent a ransomware attack:
- Do not click on attachments in suspicious emails from unknown senders, and do not follow the links such messages contain.
- A regular backup is necessary: if the virus has attacked the computer, to restore your files from the backup on an external drive is the easiest way to do. A disk with a backup copy should not be permanently connected to the computer.
- It’s necessary to regularly update antivirus software and use additional methods of protection – for instance, corporate networks can be protected by specialized tools such as security scanners.