Lukitus is spread via Dropbox-themed emails

Dropbox-themed emails can lure you into installing ransomware

This week, security experts noticed a new phishing campaign used to promote the latest variant of Locky ransomware, called Lukitus. According to researchers, over 23 million spam emails were sent to unaware PC users in less than a day, making this attack one of the largest ones in the latter half of this year.

While Lukitus itself was detected about a month ago, its executable file has been noticed only in several hundreds of different spam examples. However, today we are witnessing , by far, the most potent cyber attack which could lead millions of people to the data loss.

The phishing variation

The main damage caused by Locky ransomware was done more than one year ago. Then, the main method used for its distribution was spam emails which contained a .doc file attached.

This time, the attack does not rely only on files that seem to be useful documents. It also includes Dropbox-themed phishing emails. These fake messages are well crafted and look nearly identical to the official message of Dropbox. It can trick even the most experienced users as there is almost no indication of the malicious link in the email.

Ransomware delivery to the victim

Upon clicking the malicious link, you get redirected to one of a few websites. These sites are legitimate or well known hosting accounts at least that were hacked by Lukitus owners and filled with a malicious file called “dropbox.html”.

The dropbox.html file loads a page that looks like a legitimate Dropbox website. However, clicking any links results in a malicious payload delivered in one of 2 ways. Either your computer is infected with a zip file containing a malicious script or the site tries to execute a JavaScript file itself. In this case, it tries to download a payload file as well.

Make sure you are extremely careful with Dropbox-themed emails these days. If there is no reason why this company could send you a confirmation, you should ignore the message because it can contain ransomware files. If you are infected, we will have to disappoint you by saying that currently there is no decryptor for Lukitus.

Ugnius Kiguolis