Several hours ago, infosec expert Derek Knight found a brand new Locky virus variant spreading out email messages that simulate an Internet service provider (ISP) alert declaring that SPAM has been identified originating from the PC.
After the initial examination of this Locky build, other researches from the Malware Hunter Team spotted that Locky had additionally altered the file extension for locked data to .aesir. This latest extension remains to be connected with the Norse mythology, with earlier versions utilizing the Thor and Odin extensions. Sadly, it is impossible to break the Locky encryption this time.
Back to the Locky spam messages, they possess a subject line like “Spam mailout” and include a ZIP attachment with names like logs_[victim_name].zip . Inside the ZIP file, there is a JS document that once started, is going to download and launch the .aesir virus itself.
At the time the JS attachment is launched it is going to download an encrypted DLL file and decrypt and put it into the Temp folder of the PC. That DLL file will then be launched with the help of the genuine Windows application named Rundll32 .exe and so Locky will be installed on the device.
As soon as Locky is installed, it is going to scan the PC for about 456 different file types and encrypt them. While encrypting the files, Locky will mask and mix their names and add .aesir extension. The scrambled file will look like this : 01WCCd1-621V-AeBF-4DA-2308D8F811BFC.aesir. Scrambling the file name is aimed to hide from victims what exactly data is affected.
When the encryption is finished, the ransomware will present the ransom note with instructions on how to send the ransom.
The titles of those ransom notes have changed too. They are now labeled like this: _[number]-INSTRUCTION.html
For now, you can recover files only from a backup or if you are extremely fortunate, via Shadow Volume Copies. While Locky does make an effort to wipe out Shadow Volume Copies, in some situations this ransomware virus fails to do it.
If you do not have backups, it is recommended to monitor computer help forums and wait for the decryptor to be available. In several cases, infosec researchers were able to get the decryption keys.
Comments