A Chinese version of Locky ransomware has been detected by malware researchers to drop a _HOWDO_text.html file after it encrypts files with the AES-128 and RSA-2048 ciphers and generates a unique decryption key. The Locky ransomware variants have been spreading faster than any ransomware and have cause immense damages all over the world. Researchers feel concerned because now Chinese users may be affected and they strongly advise not to pay any ransom money requested by the cyber-criminals and instead wait of decryptor to be released.
The differences which the Chinese Locky version has are that it uses directly a .html file that leads to the payment page which advertises the “Locky Decryptor” and how to access it’s unique web page via the Onion anonymous network. At this stage, it is not clear whether Locky uses the .odin file extension, which is it’s the latest version or uses another file extension instead. News broke out that the virus uses custom file extensions for different instances. File extensions, like .COM, .BIN, .CPL have been spotted out in the wild to be associated with Locky according to researchers as well as many others.
For starters, after infection, the typical Locky behavior is exhibited. The malware changes the wallpaper of the infected computer with the same typical Locky ransom note, only in Chinese:
After this has been done, Locky is also pre-configured to drop a ransom note type of file that is called “_HOWDO_text.html” and unlike the .txt files used in some previous versions of the virus, this instance of Locky uses a .html document to display the same (or similar ransom note):
If you follow the instructions in the ransom note, they lead to a Chinese-based website which, just like Bart Ransomware and Zepto Ransomware advertises Locky Decryptor and how to make a payment to receive it and restore the encrypted files:
More to it than that, the Locky Decryptor tor web page also has support for many other languages, indicating that there may be multiple versions of this ransomware virus specifically designed for every country it attacks:
All of these are strong arguments that Locky is not spread by a single hacking group, but is instead advertised to third-party individuals or groups who help spread it massively all around the world.
What Is The Current Situation With Locky
Malware researchers continue to unite and spread the word about Locky ransomware’s development across research communities. One indicator for that is the newly released LockyDump tool that is open source and assists malware researchers in looking deeper into Locky.
Unfortunately, at this point, there is no free decryption available, but in case your computer has been infected by Locky Ransomware, experts recommend to immediately eliminate this virus from the infected computer and wait for a decryptor. One method to eliminate it is if you follow our removal instructions below. They also include some alternative methods which you may want to try if you wish to attempt to restore your files by yourself. Bear in mind that these methods are not 100 percent effective and you should backup your encrypted files before trying them and of course, use them at your risk.