Locky Ransomware Adds Aesir Extension to Encrypted Files

The security researcher Derek Knight found out a brand new Locky campaign yesterday. The newly-found campaign sends thousands of emails pretending to be an ISP complaint and stating that SPAM has been detected in the PC.

MalwareHunterTeam analyzed the installation of the latest Locky infection and found out that Locky had changed the extension for encrypted files to .AESIR. The new extension continues to stay within the Norse god mythology, with the previous variant using the Thor extension. However, the main problem with the new version of Locky ransomware is that currently it cannot be decrypted.

The latest Locky campaign is being distributed through emails pretending to be a complaint from your ISP, which states that SPAM is being sent from your PC. The emails include a subject of Spam mailout as well as a zip attachment named something like logs_[target_name].zip. There is a JS file inside the ZIP file which once opened, it will download and execute the Locky infection.

Being executed, the JS attachment will download an encrypted DLL and decrypt it into the %Temp% folder of the computer. After that the DLL file will be executed using the legitimate Windows program named Rundll32.exe in order to install Locky on the PC.

Presently, the Locky DLL is being executed with a command similar to this one: “C:\Windows\System32\rundll32.exe” %Temp%\vv3y5iUI.dll,jWo7sg8u

After being installed, Locky ransomware will scan the machine for certain file types and encrypt them all. When encrypting a file, it will scramble the name and append the .aesir exension.

For instance, a file named test.jpg could be renamed to 016CCB88-61B1-ACB8-8FFA-86088F811BFA.aesir. The format for this naming scheme is first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].aesir

Once the encryption is done, ransom notes will be displayed to provide some information on how to pay the ransom. The names of these ransom notes have changed for the AESIR Locky variant and are now named _[number]-INSTRUCTION.html, -INSTRUCTION.html, and -INSTRUCTION.bmp.

ransom-note
Image Source: Bleeping Computer

As already mentioned above, the main problem with the latest version of Locky is that it is still not possible to decrypt the infected files for free. At this point, the only way to recover the encrypted files is via backup, or if you are lucky enough, via Shadow Volume Copies.

Nevertheless, you should know that Locky is trying hard to remove the Shadow Volume Copies, and in rare cases, ransomware infections fail to do so. For that reason, if you do not have a backup, the only thing left to do is trying to restore the encrypted files from the Shadow Volume Copies.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.