The Locky Ransomware is one of the most popular threats since its first detection in the wild early 2016. The ransomware has evolved over the time, crooks have improved it adding new evasion detection features and changing the distribution methods.
Security experts observe the implementation of sophisticated sandbox evasion techniques, they documented a new strain of the malware that used a new extension (aka Zepto variant) for the encrypted files meanwhile another version was able to use of offline encryption.
The downloader script works in a way similar to other strain of the Locky ransomware, the downloaded files are decrypted and saved in the Windows Temp directory, but differently from the past, the malicious payload is DLL file instead a .EXE. The DLL library is loaded using rundll32.exe, it leverages a custom packer to prevent anti-malware scanners from detecting it.
Once it is executed, the new Locky ransomware searches for the affected system and network shares for files to encrypt, it uses the .zepto extension for locked file. When the encryption process has been completed, this variant of Locky ransomware drops and displays a ransom payment instruction page.
Researchers noticed that the .onion address provided in the ransom note directs victims to the same Locky decryptor page that has been used in previous campaigns.
“Clicking on the onion link directs the user to the same Locky Decryptor page we have seen in previous Locky waves.” closes the report.
(Security Affairs – Locky ransomware, malware)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.