New Locky Ransomware Variant Detected in Three Major Campaigns

Locky ransomware continues to spread at an alarming pace, in part due to the number of different Locky ransomware variants that have now been released. New variants are now appearing on a weekly basis, with the malicious file-encrypting malware constantly being tweaked to avoid detection and keep security researchers guessing.

Some of the latest variants of the ransomware have used the .sh*t extension rather than the more familiar .locky, although the latest variant has switched to the .thor extension. Regardless of the extension used, the effect is the same: Widespread encryption of files and deletion of Windows Shadow copies. At present, there is no decryptor available for any Locky variant. Recovery depends on the ability of victims to restore files from backups.

Locky ransomware is primarily spread via spam email and three major campaigns have been detected this week by Cisco Talos researchers. Each of these campaigns use malicious email attachments to infect end users. A variety of attachments are used including VBS files, JavaScript files, and Word documents containing malicious macros. While the spam emails are highly varied and different file attachments are used, infection still involves the use of encrypted DLLs. The DLL is downloaded and decrypted before being run using Rundll32.exe.

One of the largest campaigns uses a malicious ZIP file to load files onto the victims’ computer. The executable files will then download Locky onto the victim’s computer. Cisco Talos has identified 13,000 malicious emails from this campaign since Monday. The email attachment appears to be a receipt – a common ploy to get victims to open the file. This campaign also has a Halloween theme. The word Pumpkin is mentioned throughout the code.

The second campaign appears to be smaller. 3.748 emails have been identified. This campaign includes an attachment that appears to be a complaint letter. It is also a zip file, although it uses JavaScript to download Locky.

The third campaign uses a Windows Script File with the attachment appearing to be a bill from a French TV company. This campaign is targeting users in France and is smaller. 154 emails have been identified by Cisco Talos. WSF files have been used extensively in Locky campaigns, although the developers appear to be moving away from WSF files and are favoring ZIP files containing shortcut files (.LNK). The LNK files contain PowerShell scripts that download Locky, rather than using the Nemucod downloader.

While new variants continue to be released, detections are down over the past two weeks. It is unclear why this is the case. Since no decryptor is available and the ransomware is still being tweaked, the decline in use is expected to be short-lived.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of