Privacy News Locky Ransomware Returns with Spam Campaign Pushing Diablo6 Variant

[LASER_oneXM]

Through a large malspam campaign, Locky is back and currently being heavily distributed worldwide. While Locky was at one point considered the largest distributed ransomware, over time it became much more common to see other ransomware such as Cerber, Spora, and now even GlobeImposter. While it is too soon to tell if this is just another brief surge or an attempt to become a large player again, what we do know is that this particular campaign is strong with a wide distribution.

Locky Diablo6 variant being distributed via Spam Emails
Today, security researcher Racco42 discovered a new Locky malspam campaign that was pushing a new Locky variant that appends the .diablo6 extension. This campaign is being distributed through spam emails that contain subject lines similar to E [date] (random_numer).docx. For example, E 2017-08-09 (698).docx. The message body simply states "Files attached. Thanks".
.....
...
......
These emails have ZIP file attached that use the same name as the subject line, which contain a VBS downloader script. This script will contain one or more URLs that the script will use to download the Locky ransomware executable to the %Temp% folder and then execute it.

It is not possible to decrypt the Locky Ransomware Diablo6 Variant
Unfortunately, at this time it is still not possible to decrypt .diablo6 files encrypted by the Locky Ransomware for free.

The only way to recover encrypted files is via a backup, or if you are incredibly lucky, through Shadow Volume Copies. Though Locky does attempt to remove Shadow Volume Copies, in rare cases ransomware infections fail to do so for whatever reason. Due to this, if you do not have a viable backup, I always suggest people try as a last resort to restore encrypted files from Shadow Volume Copies as well.

For those who wish to discuss the Locky ransomware or need support, you can use our dedicated Locky Ransomware Help & Support Topic.