Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Fake ISP Complaint Emails Distribute Locky Ransomware Variant

Distributed via spam emails pretending to be complaints from an Internet Service Provider (ISP), a newly observed Locky ransomware variant appends the .AESIR extension to the encrypted files, security researchers reveal.

Distributed via spam emails pretending to be complaints from an Internet Service Provider (ISP), a newly observed Locky ransomware variant appends the .AESIR extension to the encrypted files, security researchers reveal.

Ever since it first emerged in February of this year, Locky has been one of the most active ransomware families and has targeted users all around the world. Its operators have been very active in their attempts to bypass security protections and avoid detection, and changing the extension appended to encrypted files has been one of the used methods.

The original malware variant used the .LOCKY extension, but the ransomware switched to .ZEPTO, .ODIN, and .THOR since. Now, Locky’s authors have adopted the .AESIR extension, as they continue to be inspired by the Norse god mythology.

The ransomware operators didn’t change the appended extension alone, but also the distribution method, several times. They switched from Word documents with malicious macros to different other types of attachments, including JavaScript, WSF, DLLs, and more.

Courtesy of this relentless search for new infection methods, Locky has become the second Most Wanted malware by number of attacks, a recent report from Check Point revealed. The ransomware accounted for 5% of recognized malware attacks in October, surpassed only by Conficker with 17% of attacks, and trailed by Zeus with 5% as well.

“The reason for Locky’s continued growth is the constant variation and expansion of its distribution mechanism, which is primarily through spams emails. Its creators are continually changing the type of files used for downloading the ransomware, including doc, xls and wsf files, as well as making significant structural changes to the spam emails,” Check Point says.

The latest Locky distribution campaign uses emails that pretend to be complaints from the victim’s ISP, stating that spam has been sent from the victim’s computer. The emails contain a ZIP attachment that uses social engineering to trick users into opening it: the file is named logs_[target_name].zip.

The ZIP file includes a JavaScript that, when opened, downloads an encrypted DLL that is decrypted into the %Temp% folder on the infected machine. Loaded using the legitimate Windows program Rundll32.exe, the DLL will install and execute the Locky ransomware.

As soon as the installation process has been completed, the ransomware scans the computer and network shares (including the unmapped ones) for specific file types and starts encrypting them. Encrypted files are renamed and appended the .AESIR extension.

After the encryption process has been completed, the malware displays a ransom note informing the victim on what happened with their files and providing instructions on how to pay the ransom to decrypt the files.

Related: OPM-Impersonating Spam Emails Distribute Locky Ransomware

Related: Researchers Build Configuration Extractor for Locky Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.