New Locky ransomware variant hits healthcare hard

Different way to deliver the malware, network patterns used on providers.


A recent new strain of the Locky ransomware is targeting the healthcare industry, according to cyber security vendor FireEye Labs.

“From our trend analysis, Locky ransomware started being delivered via DOCM format email attachments more extensively beginning in August,” FireEye explained in a recent alert. “This marks a change from the large campaigns we observed in March, where a JavaScript-based downloader was generally being used to infect systems.”



The attacks also are hitting the telecom, transportation, manufacturing, service provider and aerospace/defense sectors severely, but nowhere near the degree that healthcare is being attacked.

In particular, attacks against healthcare and other industries, with high similarity, were especially pronounced on August 9, 11 and 15, according to FireEye.

Among other traits in this style of attack, each email campaign has a specific “one-off” campaign code used to download the ransomware from a malicious server, and the malicious URL embedded with macro code is encoded using the same encoding function but with a different key for each campaign, the vendor says. An accompanying report, available here, shows the network patterns of the August attacks.


More for you

Loading data for hdm_tax_topic #care-team-experience...