Security News Locky Ransomware Returns, but Targets Only Windows XP & Vista

[LASER_oneXM]

....some quotes from the article above:

The Locky ransomware is back, spreading via a massive wave of spam emails distributed by the Necurs botnet, but the campaign appears to be a half-baked effort because the ransomware is not able to encrypt files on modern Windows OS versions, locking files only on older Windows XP & Vista machines.

Locky spam accounted for 7.2% of all email spam
Cisco says spam for this new Locky variant accounted for nearly 7.2% of the Internet's entire email spam traffic. That's an insanely massive spam wave for a ransomware that only targets less than 10% of the entire Windows userbase.

Locky's new tactics
But there are also new wrinkles in this new Locky spam wave as well. Vitaly Kremez, Flashpoint Director of Research, discovered that Locky uses a new method of launching the infected binary on targeted hosts.

In addition, the Locky spam emails use new texts for the email subjects and body content, albeit they still pretend to be invoices, payment receipts, order confirmations, and so on.

These emails also packed file attachments differently, utilizing a double-nested ZIP structure. The emails Bleeping Computer analyzed deliver a ZIP file with names in the format of eight random digits (e.g.: 38017832.zip). This initial ZIP file contains another ZIP file, which in turns contains an EXE file that runs Locky when executed.

Last but not least, this Locky version also added some anti-debugging protections that prevent the ransomware from running in virtual machines and other debug environments, which explains why researchers had a hard time analyzing it for the first few hours.

Overall, this particular Locky spam run seems to be a rushed effort, but we can expect the ransomware's operators to correct their flaws and start delivering a fixed version in the following days.

Windows DEP security feature mitigates new Locky variant
The new spam waves were detected by a large number of security researchers. All reported that they had trouble infecting themselves on their test machines.
It was Cisco's Talos division that discovered why. According to the company's experts, the Locky authors rushed to replace the decrypted Jaff version with Locky and made several errors in their deployment.

 

[Staunch]

Thans for sharing

 

[frogboy]

Time for people to abandon XP and Vista I think.

Microsoft will not issue emergency patches for ever.

 

[Staunch]

Time for people to abandon XP and Vista I think.

Microsoft will not issue emergency patches for ever.

exactly and even W7 and W8 , as we see they last solution they pusing users to switch w10.

https://blogs.technet.microsoft.com...e-for-windows-10-creators-update-v1703-draft/

 

[Winter Soldier]

Time for people to abandon XP and Vista I think.

Microsoft will not issue emergency patches for ever.

Fully agree! This could be the "positive" side of this Locky version

 

[ravi prakash saini]

security companies must develop anti ransomware "THOR".However I am immune because I am like odin always sleeping

 

[Winter Soldier]

security companies must develop anti ransomware "THOR".However I am immune because I am like odin always sleeping

LOL, well I have Thanos - The Mad Titan (thanks @BugCode ) so I should be okay

 

[BugCode]

LOL, well I have Thanos - The Mad Titan (thanks @BugCode ) so I should be okay

Bro, you are TOTALLY safe, trust me

 

[ZeroDay]

Conspiracy theory: MS are releasing these Ransomwares to get everyone onto Windows 10. Ha ha, yes that was a joke by the way.

 

[frogboy]

Conspiracy theory: MS are releasing these Ransomwares to get everyone onto Windows 10. Ha ha, yes that was a joke by the way.

You may have a valid point there.