MalwareHunterTeam reported that Locky ransomware has come back, accompanied by a brand new spam campaign which is spreading an innovated Locky version.
A week ago, the Malware Protection Center of Microsoft had announced that the developers behind Locky ransomware were testing a new distribution method relying on minor spam campaigns which spread booby-trapped LNK files.
During the past weekend, the creators of Locky got in the middle of a huge spam campaign which spread the classic infection methods of Locky – zipped HTA, WSF, and JS files.
The most significant change in the latest Locky version is a new extension which appends at the end of encrypted files. The name of the new extension is SHIT, and according to security experts, the ransomware calls back home to a server file named “linuxsucks.php.”
For instance, a file named photo.png would become [random_characters].shit. The previous extensions which Locky had used were LOCKY, ZEPTO, and ODIN.
Regarding the random file names, the MalwareHunterTeam stated that the format is “8-4-4-4-12.shit, where the first 8-4-4 characters are unique for infection, and the last 4-12 is unique for the file.”
The MalwareHunterTeam claims that infections came in very fast. The security experts noticed these infections via ID-Ransomware, a free website his team had created, which helps victims of ransomware infections.
Users, whose computers were infected by ransomware, can enter the ID-Ransomware website, upload a copy of the ransom note and one of the encrypted files, and find out the name of the ransomware which locked their PCs. After that, users can recover their files in case there is a free decrypter available online.
The MalwareHunterTeam reported that only for six hours, the new Locky S**T version has infected users in Germany, France, Serbia, the UK, Poland, Saudi Arabia, Finland, Bosnia and Herzegovina, Denmark, Turkey, Romania, Spain, the US, Gabon,Dominican Republic, Czech Republic, Canada, Argentina, South Africa, Honduras, and Venezuela. In other words, one new country with S**T ransomware infections popped up every five minutes.
Security experts like MalwareHunterTeam, TMMMalAnalyst, SecGuru, Racco42, Techhelplist, Peter Kruse, and operations6 have identified this ransomware as a new Locky variant, and not as a new ransomware family.
The experts haven’t had enough time to analyze the new Locky’s source code in details yet, however, a researcher named Techhelplist has identified the first change, which is a modification in Locky’s DLL point.
Security researchers from Cisco created a LockyDump tool for extracting Locky ransomware configuration files, which managed to extract configs from Locky S**T samples. This means that the new Locky variation is valid.
Apart from the above-mentioned, the standard desktop wallpaper used by Locky S**T turned to be identical with previous screens of Locky ransomware.