A second wave of the Locky ransomware variant called IKARUSdilapidated has been identified by security experts. The source of the ransomware is a botnet of zombie computers coordinated to launch phishing attacks that send emails and attachments appearing to come from a targeted recipient’s trusted business-class multifunction printer.

This is the second wave of IKARUSdilapidated ransomware spotted in the past month, according to Comodo Threat Intelligence Lab. The original attack, first identified on Aug. 9 and lasting three days, utilized spam messages that contained little to no content along with a malicious Visual Basic Script attachment.

“This is a more mature campaign, targeting office workers whose workstations are part of a corporate network linked to multifunction scanners and printers,” said Fatih Orhan, director of technology at Comodo, in an interview with Threatpost. “As many employees today scan original documents at the company printer and email them to themselves and others, this malware-laden email will look very innocent.”

Emails part of the campaign use a popular printer model in the subject line to trick users into thinking the messages are legitimate. One such message reads, “Scanned image from M-2600N”. MX-2600N is the model of a leading enterprise-class Sharp multifunction printer. Messages contained malicious JavaScript attachments that if clicked on initiated a dropper program that downloaded the IKARUSdilapidated ransomware.

This most recent campaign was delivered over the course of three days starting Aug. 18 in three stages. The first two stages of the attack were the largest and involved the bogus scanned image attachment.

The third smaller wave differed and featured a message purporting to from a French post office with the word “FACTURE” in the subject line. FACTURE translates to a bill or billing inquiry in French. Emails come from a Laposte.net email address which is a domain used by a popular French post office company, according to Comodo. FACTURE messages also contained malicious JavaScript attachment compressed in a .rar archive format. Once clicked on, dropper malware would download the IKARUSdilapidated ransomware.

“In contrast to the initial (Aug. 9) 2017 IKARUSdilapidated Locky campaign, which distributed malware with the ‘.diablo’ extension and a script that is a Visual Basic Script, both new attacks have interesting variations to fool users with social engineering and to fool security administrators and their machine learning algorithms and signature-based tools,” researchers said in a technical analysis of the attack.

The name of the Locky ransomware strain IKARUSdilapidated is derived from a text string found in the code of the malicious file downloaded by the dropper. Researchers say IKARUSdilapidated is a variant of Locky because they share many of the same characteristics such as encrypted filenames converted to a unique 16-letter and number combination.

“This shows that the malware authors are evolving and changing methods to reach more users and bypass security methods,” Orhan said.

According to an analysis of the botnet used in the attacks 54,048 IP addresses were used in the “scanned image” campaign – 27 percent of those were also used in the original attack that began on Aug. 9. The top source countries behind the “zombie computer” botnet are Vietnam, Turkey, India and Mexico. Targeted countries included European and Southern Asia-based countries with minimal targeting of the United States and Russia.

Locky is notorious for its effectiveness and profitability. Over the past two years, Locky has extorted more than $7.8 million in payments from victims, according a recent study by Google, Chainalysis, UC San Diego, and the NYU Tandon School of Engineering.