![\"Enabling](\"https:\/\/myspybot.com\/wp-content\/uploads\/2016\/07\/docm-file-security-warning.png\" "\\"Enabling")
<\/a>Upon intrusion, Locky version 1 would scan the hard disk, removable drives and mapped network shares for the user\u2019s personal files. Everything detected in the course of this data scouring was subject to strong encryption. The ransomware used two different cryptosystems to deny the availability of files, namely RSA-2048 and AES-128<\/a>. Filenames would change as well, morphing into unrecognizable entities similar to 7185F1FG7823F1F53N94DBB58671A345.locky<\/strong>. These were strings consisting of 32 hexadecimal chars followed by the .locky extension.<\/p>\n The ransomware also added ransom notes called \u201c_Locky_recover_instructions.txt<\/strong>\u201d to encoded folders and the machine\u2019s desktop. It also changed the desktop background to a pre-designed image holding the same recovery instructions, including the user\u2019s personal ID. According to these, the victim had to visit a site called the Locky Decryptor Page and use further details on it to submit 0.5 Bitcoins to the criminals. At that point, this sample stood out from the crowd because its code had no apparent flaws and the cryptographic facet was immaculate.<\/p>\n Locky version 2 went live at the beginning of August 2016. It combined deep-level tweaks with external adjustments made to the original infection. This edition concatenated the .zepto extension<\/a> to one\u2019s encrypted files, which is why the security community called it this way. As opposed to its precursor, the updated ransomware modified filenames according to a new pattern. Specifically, it replaced them with the same number of characters (32) but broke the strings down into five parts with hyphens linking them. For instance, a random affected file assumed a form like this: 015DBF10-32D2-FNI4-F058-F286E992B714.zepto<\/strong>.<\/p>\n A new set of ransom manuals is another change included in the Zepto release. A combo of files called \u201c_HELP_instructions.html<\/strong>\u201d and \u201c_HELP_instructions.bmp<\/strong>\u201d took over the previous \u201c_Locky_recover_instructions.txt<\/strong>\u201d note. The structure of these help documents remained the same. Another invariable thing was the desktop background, which reflected the preliminary recovery steps just like before.<\/p>\n What did undergo an alteration, though, was the encryption method leveraged by some affiliates of the Locky hoax. The bad guys tried their hand at applying a cipher without requesting a public crypto key from a Command and Control server. When in this mode dubbed \u201cautopilot\u201d, the infection could do its filthy data scrambling job without being detected by firewalls and antimalware suites, which may identify suspicious traffic between an offending program and its C2 page. However, this technique had some shortcomings for the attackers. The main one is that it became impossible to track the number of ransomware installations, so the statistics weren\u2019t as informative.<\/p>\n The proliferation method used to infect computers with Zepto was no longer backed by macros exploitation. Instead, the extortionists leveraged spam emails with ZIP archives that contained JS or WSF files. These malicious entities would be masqueraded as invoices, receipts, CVs or cancellation requests. Once a user clicked on them, the bad scripts would stealthily install the ransomware onto the system.<\/p>\n When it seemed that Locky operators were up to switching to offline encryption irrevocably, the third \u201cOdin\u201d variant<\/a> proved the opposite. The criminals in charge reversed to the use of Command and Control servers for secret keys. It\u2019s hard to say for sure why this move backward happened. Some researchers speculate that the black hats couldn\u2019t tolerate the fact that the distribution statistics were incomplete. This edition appeared in late September, about two months after its forerunner Zepto emerged.<\/p>\n Along with downgrading the file encoding principle, Locky developers made a few more changes to their program. It appended the .odin tail to every skewed file. Filenames got renamed according to the same pattern that the Odin spinoff used. Victims learned the recovery steps from ransom manuals now named \u201c_HOWDO_text.html<\/strong>\u201d and \u201c_HOWDO_text.bmp<\/strong>\u201d. The ransom was still payable in Bitcoins and amounted to 0.5 BTC. To submit it, the infected users had to visit the already familiar Locky Decryptor page.<\/p>\n Looking back at the fourth edition of Locky, it\u2019s not clear whether it was a joke or a failed spinoff. This one was discovered<\/a> in late October. Its main distinguishing property was the .shit extension being added to the names of encrypted files. The ransom instructions were provided through documents called \u201c_WHAT_is.html<\/strong>\u201d and \u201c_WHAT_is.bmp<\/strong>\u201d. So much for the external modifications.<\/p>\n The propagation methodology exhibited a clear-cut focus on the spam vector. By leveraging a large botnet, the perpetrators launched a massive spam campaign that generated thousands of rogue emails on a daily basis. These emails were intended to dupe people into opening a malicious attachment that came in the form of a JS, WSF or HTA file enclosed within a ZIP archive. A significant change regarding the data encoding part of the modus operandi was that this variant switched back to the \u201cautopilot\u201d mode. The malefactors have been, obviously, trying to strike a golden mean between code obfuscation and stats tracking, so they keep experimenting with offline crypto.<\/p>\n It took Locky devs a record-breaking time span of under 24 hours to switch from the .shit extension variant to a new edition. The successor uses the .thor string<\/a> to label one\u2019s affected files. The crooks leverage an encrypted DLL installer to execute the ransomware on computers. The configuration file contains a number of interesting hard-coded parameters. One of them instructs the infection to cease an attack if it discovers that the target system uses Russian as the default interface language. Furthermore, almost half of the Command and Control servers are located in Russia. These may be indicators of the criminals\u2019 origin.<\/p>\n The Thor iteration transforms one\u2019s documents, images, databases, videos and other personal files into entries like ST8DRHBA-FG1M-XG4S-00F9-0B9157A80190.thor<\/strong>. Consequently, not only is it impossible to open them due to cryptographic changes, but it\u2019s also unfeasible to work out what specific objects have been encoded. The ransomware drops decryption help files called \u201c_WHAT_is.html\/.bmp<\/strong>\u201d. As before, these manuals, along with a warning wallpaper on the desktop, tell the victim to follow one of several available Tor links and thus visit the Locky Decryptor page.<\/p>\n The size of the ransom is still 0.5 Bitcoins, or about 350 USD. Overall, the use of digital cash is an immutable trend with online extortionists, because it helps them stay on the loose due to its inherent anonymity attributes. If the rest of the attack technicalities, including the data encryption process, are implemented immaculately, a ransomware sample is double trouble. Unfortunately, all of Locky\u2019s spinoffs are like that.<\/p>\n The next interjacent strain of the Locky epidemic continues the Norse mythology theme, where Aesir<\/a> denotes a pantheon of warrior gods. In ransomware terms, this word serves as the new extension being subjoined to one\u2019s encrypted files. This variant replaces the name of a random scrambled entry with hexadecimal characters according to the following pattern: [8_chars]-[4_chars]-[4_chars]-[4_chars]-[12_chars].aesir<\/strong>. Compared to the previous Locky spinoff, the renaming template is identical except for the extension.<\/p>\n The Aesir edition proliferates over email spam and a fairly uncommon Facebook phishing trick. The former method mainly relies on phony messages with the subject \u201cSpam mailout\u201d that misinform a victim of suspicious activity allegedly emanating from their address. The attachment, which is claimed to be the contents and logging of these purported spam messages, will execute the ransomware as soon as the unsuspecting recipient opens it. The distribution campaign on Facebook revolves around a malicious .svg image file that\u2019s sent to users over Facebook\u2019s Instant Messaging system.<\/p>\n The ransom notes created by the Aesir variant convey the same instructions as before. Their names, however, have been changed to -INSTRUCTION.html<\/strong>, _[random_number]-INSTRUCTION.html<\/strong>, and -INSTRUCTION.bmp<\/strong>. The desktop background with a warning message didn\u2019t undergo any tweaks. Unfortunately, one more thing that the .aesir file ransomware edition has inherited from its forerunners is professional crypto. It is therefore still uncrackable, so users should be on the lookout for spam received over email or via social networking sites.<\/p>\n The first spam wave disseminating the .zzzzz file variant<\/a> of Locky was spotted on November 24, 2016. Most of these rogue emails were camouflaged as order receipts and ISP complaints. The social engineering component of the latter theme was based on purported violations of an Internet Service Provider\u2019s terms of service through spam traffic allegedly emanating from the recipient\u2019s computer. This is irony of a sort \u2013 actual spam emails accusing users of sending spam. Strangely enough, it works.<\/p>\n The phish would engage ZIP attachments with JavaScript objects inside. When opened, the JS file downloads a malicious DLL and configures the host system to execute it with a Windows host process called Rundll32. This knotty workflow is implemented for a reason: it contributes to the AV evasion part of the ransomware compromise.<\/p>\n Just like the previous version, the Zzzzz alias of Locky scrambles filenames using randomly generated hexadecimal characters. Furthermore, it sticks with the same ransom note names, which are -INSTRUCTION.html<\/strong>, _[random_number]-INSTRUCTION.html<\/strong>, and -INSTRUCTION.bmp<\/strong>. On the outside, the only conspicuous change is the .zzzzz file extension. Another cross-version common denominator is that the InfoSec community is still helpless when it comes to decrypting Locky-mutilated data.<\/p>\n Having stepped away from the mythological version-naming paradigm for a while, Locky devs opted back in. The .osiris file edition<\/a> of the ransomware was out on December 5, 2016. It brought about several novel things as compared to the Zzzzz predecessor. First of all, the .osiris extension makes a whole lot more sense in the overall Locky family context. Secondly, the new iteration leaves a different set of ransom manuals, namely OSIRIS-[4_chars].htm<\/strong> and OSIRIS.bmp<\/strong>. The BMP file replaces the victim\u2019s original desktop wallpaper.<\/p>\n![\"Modified](\"https:\/\/myspybot.com\/wp-content\/uploads\/2016\/06\/help_instructions-bmp.png\" "\\"Modified")
<\/a>Offline encryption experiments of the Zepto variant<\/h3>\n
![\"Files](\"https:\/\/myspybot.com\/wp-content\/uploads\/2016\/06\/zepto-files.png\" "\\"Files")
<\/a>![\"_HELP_instructions.html](\"https:\/\/myspybot.com\/wp-content\/uploads\/2016\/11\/help_instructions-html.png\" "\\"_HELP_instructions.html")
<\/a>Locky version 3: a step back cryptography-wise<\/h3>\n
![\"The](\"https:\/\/myspybot.com\/wp-content\/uploads\/2016\/09\/odin-ransomware.png\" "\\"The")
<\/a>The short-lived \u201cShit\u201d version<\/h3>\n
![\"Adverse](\"https:\/\/myspybot.com\/wp-content\/uploads\/2016\/10\/demands-of-the-shit-ransomware.png\" "\\"Adverse")
<\/a>Thor, another evil character in the Locky saga<\/h3>\n
![\"The](\"https:\/\/myspybot.com\/wp-content\/uploads\/2016\/10\/thor-ransomware-effects.png\" "\\"The")
<\/a>![\"Locky](\"https:\/\/myspybot.com\/wp-content\/uploads\/2016\/10\/locky-decryptor.png\" "\\"Locky")
<\/a>The Aesir descendant of Locky<\/h3>\n
![\"Locky\u2019s](\"https:\/\/myspybot.com\/wp-content\/uploads\/2016\/11\/aesir-variant.png\" "\\"Locky\u2019s")
<\/a>![\"Rogue](\"https:\/\/myspybot.com\/wp-content\/uploads\/2016\/11\/spam-email-distributing-aesir-virus.png\" "\\"Rogue")
<\/a>New derivative using the .zzzzz extension<\/h3>\n
![\"Locky](\"https:\/\/myspybot.com\/wp-content\/uploads\/2016\/11\/zzzzz-ransomware.png\" "\\"Locky")
<\/a>Mythology theme revived in the Osiris variant<\/h3>\n
![\"Ransom](\"https:\/\/myspybot.com\/wp-content\/uploads\/2016\/12\/encrypted-osiris-files.png\" "\\"Ransom")
<\/a>
![\"Excel](\"https:\/\/myspybot.com\/wp-content\/uploads\/2016\/11\/osiris-excel-macros.png\" "\\"Excel")
<\/a>