- Jan 24, 2011
- 9,378
Security researcher MalwareHunterTeam tells Softpedia that the infamous Locky ransomware has returned today with a new spam campaign that's spreading a new version of the ransomware.
Last week, Microsoft's Malware Protection Center had revealed that the group behind Locky had reduced its spam efforts and was testing a new distribution method that relied on small spam campaigns spreading booby-trapped LNK (shortcut) files.
Over the weekend, Locky's creators have returned to their old tricks, and are in the midst of a massive spam campaign that spread zipped HTA, WSF, and JS files, which are Locky's classic infection methods. An analysis of the email lures used for this spam campaign is available via My Online Security.
Locky pushes out new file encryption extension
The most visible change in this version of Locky is the extension it appends at the end of encrypted files.
The new extension is #####, and this is not the only thing salacious detail observed by researchers, who say the ransomware calls back home, to a server file named "linuxsucks.php."
For example, a file named photo.png would become [random_characters].#####. Previously Locky had used extensions such as LOCKY, ZEPTO, and ODIN.
As for the random file names, MalwareHunterTeam said the format is "8-4-4-4-12.#####, where the first 8-4-4 characters are unique for infection, and the last 4-12 is unique for the file."
Read more: Locky Adds Support for a New "S**T" Extension
Related: Video Review - Locky Ransomware adds a extension .#####!Demonstration of attack video review.
Last week, Microsoft's Malware Protection Center had revealed that the group behind Locky had reduced its spam efforts and was testing a new distribution method that relied on small spam campaigns spreading booby-trapped LNK (shortcut) files.
Over the weekend, Locky's creators have returned to their old tricks, and are in the midst of a massive spam campaign that spread zipped HTA, WSF, and JS files, which are Locky's classic infection methods. An analysis of the email lures used for this spam campaign is available via My Online Security.
Locky pushes out new file encryption extension
The most visible change in this version of Locky is the extension it appends at the end of encrypted files.
The new extension is #####, and this is not the only thing salacious detail observed by researchers, who say the ransomware calls back home, to a server file named "linuxsucks.php."
For example, a file named photo.png would become [random_characters].#####. Previously Locky had used extensions such as LOCKY, ZEPTO, and ODIN.
As for the random file names, MalwareHunterTeam said the format is "8-4-4-4-12.#####, where the first 8-4-4 characters are unique for infection, and the last 4-12 is unique for the file."
Read more: Locky Adds Support for a New "S**T" Extension
Related: Video Review - Locky Ransomware adds a extension .#####!Demonstration of attack video review.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}