Malware News Locky Drops Offline Mode and Switches to New ODIN Extension

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Locky, one of today's most dangerous and prevalent ransomware families, next to Cerber and CryptXXX, has gone through yet another update, this time dropping support for offline mode and adding a new extension for encrypted files.

Back in mid-July, the criminal gang behind the Locky ransomware had released a version of their ransomware that could work without an Internet connection, in a so-called "offline mode."

This Locky version had been distributed via five spam botnets. According to a report from Avira, three of those botnets have now reverted to distributing a Locky variant that drops support for offline mode, connecting to an online C&C server, like the rest of Locky versions.

"Maybe it didn’t work out as well as expected for the," said Moritz Kroll, malware specialist in the Avira Protection Labs. "Or they were just too curious about the number of successful infections."

Locky switches to new .ODIN extension
Additionally, security researcher @dvk01uk says recent Locky variants now add the .ODIN file extension to encrypted files. Previously, Locky had used .LOCKY (which gave its name) and .ZEPTO. Users who get infected with this newer Locky variant should be aware that this is still Locky, and not the Odin ransomware.

The infection method also changed. Previous versions relied on victims downloading malicious ZIP files they received via email spam. These files contained WSF or JS files which, when executed, would download and install a malicious EXE file, the actual ransomware.

The researcher said on Twitter that for more than a month, since August 24, these WSF and JS files have been downloading a DLL file instead of the EXE installer, which they use to deploy the ransomware.

Small changes like these may look silly and worthless, but they help crooks avoid security scanners and antivirus solutions.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top