The “New” .loptr Locky
The updated version of Locky was pretty far away from what it’s authors imagined it to be. They have configured it to infect all types of Windows versions, but it somehow failed to encrypt files on newer Windows OS’s, like 8.1 and 10, because of some security features embedded in them. But malware researchers have also managed to identify that despite this, many Windows Vista and XP users were affected by the malware. These operating systems account for a smaller part of the Windows users, but it can still do some decent damage despite that. The Locky virus still uses the last extension it was spotted with – .loptr. It is added to the encrypted files, making them no longer able to be opened and look like the following:
Other changes of the Locky ransomware, were focused within the infection process of the malware. The locky virus uses spam e-mails that have malicious .ZIP files embedded in them, Researchers have detected the new messages to be posing as order information notifications. One e-mail had the following content:
Please find attached file containing your order information.
If you have any further questions regarding your invoice, please call Customer Service.
Please do not reply directly to this automatically generated e-mail messages
Customer Service Department
The e-mails would ideally have a .zip file that has random name, like 883849241.zip and when downloaded, the .ZIP file drops a payload with a random file name, located in the %Temp% directory. The file has a random name, for example “INV-02471428,exe”.
Other updates of the ransomware include new protection software that shuts the virus down if it is ran on a Virtual Machine, preventing researching and testing it.
Besides this, the ransom note, remains rather similar:
The file extensions which Locky ransomware attacks on the infected computers are reported to be the following:
→ .yuv, .ycbcra, .xis, .wpd, .tex, .sxg, .stx, .srw, .srf, .sqlitedb, .sqlite3, .sqlite, .sdf, .sda, .s3db, .rwz, .rwl, .rdb, .rat, .raf, .qby, .qbx, .qbw, .qbr, .qba, .psafe3, .plc, .plus_muhd, .pdd, .oth, .orf, .odm, .odf, .nyf, .nxl, .nwb, .nrw, .nop, .nef, .ndd, .myd, .mrw, .moneywell, .mny, .mmw, .mfw, .mef, .mdc, .lua, .kpdx, .kdc, .kdbx, .jpe, .incpas, .iiq, .ibz, .ibank, .hbk, .gry, .grey, .gray, .fhd, .ffd, .exf, .erf, .erbsql, .eml, .dxg, .drf, .dng, .dgc, .des, .der, .ddrw, .ddoc, .dcs, .db_journal, .csl, .csh, .crw, .craw, .cib, .cdrw, .cdr6, .cdr5, .cdr4, .cdr3, .bpw, .bgt, .bdb, .bay, .bank, .backupdb, .backup, .back, .awg, .apj, .ait, .agdl, .ads, .adb, .acr, .ach, .accdt, .accdr, .accde, .vmxf, .vmsd, .vhdx, .vhd, .vbox, .stm, .rvt, .qcow, .qed, .pif, .pdb, .pab, .ost, .ogg, .nvram, .ndf, .m2ts, .log, .hpp, .hdd, .groups, .flvv, .edb, .dit, .dat, .cmt, .bin, .aiff, .xlk, .wad, .tlg, .say, .sas7bdat, .qbm, .qbb, .ptx, .pfx, .pef, .pat, .oil, .odc, .nsh, .nsg, .nsf, .nsd, .mos, .indd, .iif, .fpx, .fff, .fdb, .dtd, .design, .ddd, .dcr, .dac, .cdx, .cdf, .blend, .bkp, .adp, .act, .xlr, .xlam, .xla, .wps, .tga, .pspimage, .pct, .pcd, .fxg, .flac, .eps, .dxb, .drw, .dot, .cpi, .cls, .cdr, .arw, .aac, .thm, .srt, .save, .safe, .pwm, .pages, .obj, .mlb, .mbx, .lit, .laccdb, .kwm, .idx, .html, .flf, .dxf, .dwg, .dds, .csv, .css, .config, .cfg, .cer, .asx, .aspx, .aoi, .accdb, .7zip, .xls, .wab, .rtf, .prf, .ppt, .oab, .msg, .mapimail, .jnt, .doc, .dbx, .contact, .mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .wallet, .upk, .sav, .ltx, .litesql, .litemod, .lbf, .iwi, .forge, .das, .d3dbsp, .bsa, .bik, .asset, .apk, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .pst, .onetoc2, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key
The Updates on Cerber Ransomware
The most dangerous and widespread ransomware virus for Windows 10 is now here with some incremental changes made to it as well. For starters, it has changed the name of it’s ransom note, which is something that the developers of Cerber ransomware do every time they release an updated version – to change the .hta and .txt files and change the name of the note in the wallpaper as well. The new ransom note is named “_R_E_A_D___T_H_I_S___” and follows a random identification A-Z 0-9 letters and numbers. The wallpaper of the ransomware looks like the following:
The encrypted files by the latest Cerber ransomware iteration still remain to have a completely random file extensions, for example:
Some of the files are most likely there to resemble legitimate Windows processes while the malware is actively encrypting the files on the compromised computer. The same file types as the older version are used and the most significant difference is that this time Cerber demands a significantly higher payoff, according to it’s Tor-based web page:
Conclusion, Protection and How to Remove Cerber and Locky and Restore Your Files
The new versions of those viruses are here and they are not just any ransomware infections, but the two biggest players ever to attack the world. They may not have been as impactful as the ransom worm WannaCry, but over time their developers have made much more money than this virus and they have still remained persistent as ever. History shows that every time these new versions are updated, new spam campaigns over e-mail always follow. While Locky has already proven that by returning, they may reinitiate their spam campaign against Windows 10 machines as well. And as for Cerber, we are yet to see the newer version In massive action.
If you have become a victim of those versions of the viruses, at this point you can try using the removal and file recovery solutions for their older variants which we have listed below:
In case you want to learn more about how to protect yourself from malicious archives, we advise scanning them before actually falling in these viruses’ trap. One free online archive scanning service which you can use is called ZipeZip.