Locky spread via Herbalife disguised messages
Locky spread via Herbalife disguised messages

An aggressive ransomware campaign is infecting victims with a Locky variant that only uses a single identifier for all of its victims.

An identifier allows the criminals to identify a victim who pays their ransom and by only using one, it's impossible to know which victims pay and subsequently impossible for the attacker to send them the appropriate decryptor.

Barracuda researchers have already blocked more than 27 million emails using these methods wrapped in either a Herbalife-branded email or a generic email that impersonates a ‘copier' file delivery. All of the malicious emails use fake source email addresses, according to a Sept. 19 blog post. The largest volume of attacks appears to have come from Vietnam while other sources include India, Columbia, and Turkey and Greece.

Researchers noted approximately 6,000 fingerprints which they say means the attacks are being automatically generated using a template that randomizes parts of the files. 

“It looks to me like someone has developed a kit for distributing ransomware variants, which makes sending large volumes easier,” Eugene Weiss, lead platform architect at Barracuda told SC Media. “I suspect also that ransomware developers have been testing against popular anti-virus engines, and modified the ransomware to get around their checks; then their strategy was to release a really high-volume blast that would get some clicks before the anti-virus vendors could react to the changes.”

Weiss noted that Herbalife has a large presence in Vietnam and that its use in the campaign is a good indicator that the outbreak really is of Vietnamese origin. He also noted that the Herbalife wrapper was the first that researchers saw ant that they have seen several other wrappers that are part of the same attack.

Regardless of the email's disguise, researchers warn the campaign is an example of why Internet users need to exercise as much caution as they can when opening emails that are unusual or unexpected, DomainTools Senior Cybersecurity Threat Researcher Kyle Wilhoit told SC Media.

“Ransomware, while avoidable with the right tools, is a massive day-to-day inconvenience for businesses and individuals, and the profits from successful extortion​s​ ​often ​go on to fund further criminal enterprises,” Wilhoit said. “A good rule to follow is that if you cannot remember making a payment (for an invoice email that seems suspect) ​you should contact the merchant, and to always assume that if something offer​ed​ to you seems too good to be true, then it probably is!”