Over the past week over 14 million emails have been sent out in a new campaign with the purpose of spread the Locky strain of ransomware. As we’ve reported many times, once Locky takes control it then encrypts a victim’s files and demands payment in Bitcoins to get a key to unlock them, typically around $340.
It appears that the attack was probably carried out by a single group working together, using at least one botnet. There was a sudden drop in traffic before picking up again later. This and both attacks using the same IP addresses point to the possibility of using a single botnet.
In the weeks before this latest attack, the hackers behind Locky had been nearly inactive. With this new campaign, security researchers believe that during that lull the perpetrators may have been preparing or upgrading their botnet.