Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Locky Ransomware Released In New Chinese Variant

locky-ransomware-chinese-sensorstechforumA Chinese version of Locky ransomware has been detected by malware researchers to drop a _HOWDO_text.html file after it encrypts files with the AES-128 and RSA-2048 ciphers and generates a unique decryption key. The Locky ransomware variants have been spreading faster than any ransomware and have cause immense damages all over the world. Researchers feel concerned because now Chinese users may be affected and they strongly advise not to pay any ransom money requested by the cyber-criminals and instead wait of decryptor to be released.

The differences which the Chinese Locky version has are that it uses directly a .html file that leads to the payment page which advertises the “Locky Decryptor” and how to access it’s unique web page via the Onion anonymous network. At this stage, it is not clear whether Locky uses the .odin file extension, which is it’s the latest version or uses another file extension instead. News broke out that the virus uses custom file extensions for different instances. File extensions, like .COM, .BIN, .CPL have been spotted out in the wild to be associated with Locky according to researchers as well as many others.

Whatever the case may be, the malware exhibits the same behavior as Locky. It’s recent reports by malware researchers indicate that Locky’s latest variants spread it via .RAR files that contain .js (JavaScript) attachments pretending to be legitimate documents, indicating the virus’s PayLoad is downloaded via malicious JavaScript.

For starters, after infection, the typical Locky behavior is exhibited. The malware changes the wallpaper of the infected computer with the same typical Locky ransom note, only in Chinese:

locky-ransomware-chinese-ransom-note-sensorstechforum

After this has been done, Locky is also pre-configured to drop a ransom note type of file that is called “_HOWDO_text.html” and unlike the .txt files used in some previous versions of the virus, this instance of Locky uses a .html document to display the same (or similar ransom note):

howdo_text-html-file-locky-ransomware-sensorstechforum

If you follow the instructions in the ransom note, they lead to a Chinese-based website which, just like Bart Ransomware and Zepto Ransomware advertises Locky Decryptor and how to make a payment to receive it and restore the encrypted files:

tor-browser-locky-chinese-version-sensorstechforum

More to it than that, the Locky Decryptor tor web page also has support for many other languages, indicating that there may be multiple versions of this ransomware virus specifically designed for every country it attacks:

locky-ransomware-languages

All of these are strong arguments that Locky is not spread by a single hacking group, but is instead advertised to third-party individuals or groups who help spread it massively all around the world.

What Is The Current Situation With Locky

Malware researchers continue to unite and spread the word about Locky ransomware’s development across research communities. One indicator for that is the newly released LockyDump tool that is open source and assists malware researchers in looking deeper into Locky.

Unfortunately, at this point, there is no free decryption available, but in case your computer has been infected by Locky Ransomware, experts recommend to immediately eliminate this virus from the infected computer and wait for a decryptor. One method to eliminate it is if you follow our removal instructions below. They also include some alternative methods which you may want to try if you wish to attempt to restore your files by yourself. Bear in mind that these methods are not 100 percent effective and you should backup your encrypted files before trying them and of course, use them at your risk.

Manually delete Locky from your computer

Note! Substantial notification about the Locky threat: Manual removal of Locky requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Locky files and objects
2.Find malicious files created by Locky on your PC

Automatically remove Locky by downloading an advanced anti-malware program

1. Remove Locky with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Locky
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.