New Ransomware Looks Like Your Office Copier

A second wave of the Locky ransomware variant called IKARUSdilapidated has been identified by security experts. The source of the ransomware is a botnet of zombie computers coordinated to launch phishing attacks that send emails and attachments appearing to come from a targeted recipient’s trusted business-class multifunction printer.

This is the second wave of IKARUSdilapidated ransomware spotted in the past month, according to Comodo Threat Intelligence Lab. The original attack, first identified on Aug. 9 and lasting three days, utilized spam messages that contained little to no content along with a malicious Visual Basic Script attachment.

 “This is a more mature campaign, targeting office workers whose workstations are part of a corporate network linked to multifunction scanners and printers,” said Fatih Orhan, director of technology at Comodo, in an interview with Threatpost. “As many employees today scan original documents at the company printer and email them to themselves and others, this malware-laden email will look very innocent.”

Emails part of the campaign use a popular printer model in the subject line to trick users into thinking the messages are legitimate. One such message reads, “Scanned image from M-2600N”. MX-2600N is the model of a leading enterprise-class Sharp multifunction printer. Messages contained malicious JavaScript attachments that if clicked on initiated a dropper program that downloaded the IKARUSdilapidated ransomware.

An easy solution to this is to always involve your trusted IT professional in the purchase and configuration of these devices, so that the subject line can be changed from the default and your staff and trading partners know what is and [more importantly] is not a legitimate email from your multi-function scan devices.  Your copier technician is rarely trained in these matters. We recommend that you limit scan and email to only off-site personnel, and using file-share delivery whenever possible.


[Threatpost: New Locky Variant ‘IKARUSdilapidated’ Strikes Again – 30 AUG 2017]