Distributed via spam emails pretending to be complaints from an Internet Service Provider (ISP), a newly observed Locky ransomware variant appends the .AESIR extension to the encrypted files, security researchers reveal.
Ever since it first emerged in February of this year, Locky has been one of the most active ransomware families and has targeted users all around the world. Its operators have been very active in their attempts to bypass security protections and avoid detection, and changing the extension appended to encrypted files has been one of the used methods.
The original malware variant used the .LOCKY extension, but the ransomware switched to .ZEPTO, .ODIN, and .THOR since. Now, Locky’s authors have adopted the .AESIR extension, as they continue to be inspired by the Norse god mythology.
The ransomware operators didn’t change the appended extension alone, but also the distribution method, several times. They switched from Word documents with malicious macros to different other types of attachments, including JavaScript, WSF, DLLs, and more.
Courtesy of this relentless search for new infection methods, Locky has become the second Most Wanted malware by number of attacks, a recent report from Check Point revealed. The ransomware accounted for 5% of recognized malware attacks in October, surpassed only by Conficker with 17% of attacks, and trailed by Zeus with 5% as well.
“The reason for Locky’s continued growth is the constant variation and expansion of its distribution mechanism, which is primarily through spams emails. Its creators are continually changing the type of files used for downloading the ransomware, including doc, xls and wsf files, as well as making significant structural changes to the spam emails,” Check Point says.
The latest Locky distribution campaign uses emails that pretend to be complaints from the victim’s ISP, stating that spam has been sent from the victim’s computer. The emails contain a ZIP attachment that uses social engineering to trick users into opening it: the file is named logs_[target_name].zip.
The ZIP file includes a JavaScript that, when opened, downloads an encrypted DLL that is decrypted into the %Temp% folder on the infected machine. Loaded using the legitimate Windows program Rundll32.exe, the DLL will install and execute the Locky ransomware.
As soon as the installation process has been completed, the ransomware scans the computer and network shares (including the unmapped ones) for specific file types and starts encrypting them. Encrypted files are renamed and appended the .AESIR extension.
After the encryption process has been completed, the malware displays a ransom note informing the victim on what happened with their files and providing instructions on how to pay the ransom to decrypt the files.
Related: OPM-Impersonating Spam Emails Distribute Locky Ransomware
Related: Researchers Build Configuration Extractor for Locky Ransomware