The top ransomware for 2016 has opened another chapter in its history. A new version of Locky, using the .SHIT file extension, was detected only a couple of days ago. Yesterday, another variant was cited. The latest version to date appends the .THOR suffix to the names of the encrypted files.
The decisions of the program’s owners only make sense. To keep their software effective, they have to make frequent modifications. Changing the codes makes Locky unrecognizable for anti-virus utilities until their developers release an update. The hard work has paid dividends for the Locky developers. Their virus holds the top spot in the ransomware category for the current year.
What else has changed with the introduction of the .THOR file extension?
The latest version of Locky uses the same propagation vector as its predecessors. The ransomware is spread through spam emails. Of course, the concept and format of the letters have been reevaluated. The emails which were found to contain Locky talked about a “Budget forecast”. This was written in the subject field. In the body of the message, the sender stated that a certain person had asked him to send the budget forecast for a subsequent project. The letter contained a .zip folder attached to it.
The following formula is used to name the attachments: budget_xls_[7 hexadecimal characters].zip. The carrier folder contains a file in .VBS format. Its name is composed using this formula: budget [7 hexadecimal characters] xls.vbs. It should be noted that the random character combination is different for the folder and the file. We would like to direct your attention to the bogus spreadsheet. The file’s name contains the .XLS extension which indicates a spreadsheet. However, it is followed by the .VBS extension. As a rule of thumb, the final extension is the actual format of the file. When there is more than one extension, the file is likely to be a malware downloader.
The Locky spam emails use .DLL files to install the ransomware
In this instance, the malicious script downloads an encrypted .DLL file when being executed. The file is decrypted and a process called Rundll32.exe is used to encrypt the victim’s files. The command line for the execution of the .DLL file is the following: “C:\Windows\SysWOW64\rundll32.exe %Temp%\MWGUBR~1.dll,EnhancedStoragePasswordConfig 147”.
This version of Locky changes the names of the encrypted files. The generated name is created using the following format scheme: [8 hexadecimal characters]-[4 hexadecimal characters]-[4 hexadecimal characters]-[4 hexadecimal characters]-[12 hexadecimal characters].thor. The encrypted items could become completely unrecognizable.
A custom decrypter for Locky ransomware does not exist yet
Security experts have not managed to figure out Locky thus far. The code of the ransomware has not been broken to this date. Whether you have contacted the version which uses the .THOR extension or another variant, the aftermath would be the same.
There may be a light at the end of the tunnel. If you took the precaution of making a backup, you will be able to recover the encrypted data. Otherwise, you would have to hope that Locky failed to delete the Shadow Volume Copies of your files. The ransomware attempts to erase them. It usually succeeds, but it could fail. Our advice is to be prepared for a restoration. Create backups on a regular basis.