Locky ransomware continues to spread at an alarming pace, in part due to the number of different Locky ransomware variants that have now been released. New variants are now appearing on a weekly basis, with the malicious file-encrypting malware constantly being tweaked to avoid detection and keep security researchers guessing.
Some of the latest variants of the ransomware have used the .sh*t extension rather than the more familiar .locky, although the latest variant has switched to the .thor extension. Regardless of the extension used, the effect is the same: Widespread encryption of files and deletion of Windows Shadow copies. At present, there is no decryptor available for any Locky variant. Recovery depends on the ability of victims to restore files from backups.
One of the largest campaigns uses a malicious ZIP file to load files onto the victims’ computer. The executable files will then download Locky onto the victim’s computer. Cisco Talos has identified 13,000 malicious emails from this campaign since Monday. The email attachment appears to be a receipt – a common ploy to get victims to open the file. This campaign also has a Halloween theme. The word Pumpkin is mentioned throughout the code.
The third campaign uses a Windows Script File with the attachment appearing to be a bill from a French TV company. This campaign is targeting users in France and is smaller. 154 emails have been identified by Cisco Talos. WSF files have been used extensively in Locky campaigns, although the developers appear to be moving away from WSF files and are favoring ZIP files containing shortcut files (.LNK). The LNK files contain PowerShell scripts that download Locky, rather than using the Nemucod downloader.
While new variants continue to be released, detections are down over the past two weeks. It is unclear why this is the case. Since no decryptor is available and the ransomware is still being tweaked, the decline in use is expected to be short-lived.