A new Locky Ransomware variant, also known as Zepto, now includes a RSA key embedded in it, says the security expert Timothy Davies. According to Davies, this version is brand new, available from around September 5th, and it doesn’t require a connection to the victims` Command and Control servers to encrypt data.
While most system admins block C&C servers on their firewalls using an embedded RSA key, this Locky version is able to encrypt the victim`s PC no matter what has been blocked at the edge.
However, luckily for us, the attachments don’t haven`t been named correctly hence the version`s distribution problems. For instance, a present spreading campaign is relying on ZIP attachments containing JavaScript files, which, when executed give the following error:
The error is a result of the improper names of the attachments, which are, in fact, HTA files and not JS files. If the file`s name is changed to the correct HTA, it works without problems.
Additionally, this new Locky version continues appending the “.ZEPTO” extension at the end of all encrypted data and creates ransom notes named: “%Desktop%\[number]_HELP_instructions.html, %Desktop%\_HELP_instructions.html, and %Desktop%\_HELP_instructions.bmp”.
Files, targeted by this Locky variant have one of the following extensions:
