The Locky Ransomware is one of the most popular threats since its first detection in the wild early 2016. The ransomware has evolved over the time, crooks have improved it adding new evasion detection features and changing the distribution methods.
Security experts observe the implementation of sophisticated sandbox evasion techniques, they documented a new strain of the malware that used a new extension (aka Zepto variant) for the encrypted files meanwhile another version was able to use of offline encryption.
The downloader script works in a way similar to other strain of the Locky ransomware, the downloaded files are decrypted and saved in the Windows Temp directory, but differently from the past, the malicious payload is DLL file instead a .EXE. The DLL library is loaded using rundll32.exe, it leverages a custom packer to prevent anti-malware scanners from detecting it.
Once it is executed, the new Locky ransomware searches for the affected system and network shares for files to encrypt, it uses the .zepto extension for locked file. When the encryption process has been completed, this variant of Locky ransomware drops and displays a ransom payment instruction page.
Researchers noticed that the .onion address provided in the ransom note directs victims to the same Locky decryptor page that has been used in previous campaigns.
“Clicking on the onion link directs the user to the same Locky Decryptor page we have seen in previous Locky waves.” closes the report.
(Security Affairs – Locky ransomware, malware)