Locky Ransomware Released In New Chinese Variant - How to, Technology and PC Security Forum | SensorsTechForum.com

Locky Ransomware Released In New Chinese Variant

locky-ransomware-chinese-sensorstechforumA Chinese version of Locky ransomware has been detected by malware researchers to drop a _HOWDO_text.html file after it encrypts files with the AES-128 and RSA-2048 ciphers and generates a unique decryption key. The Locky ransomware variants have been spreading faster than any ransomware and have cause immense damages all over the world. Researchers feel concerned because now Chinese users may be affected and they strongly advise not to pay any ransom money requested by the cyber-criminals and instead wait of decryptor to be released.

The differences which the Chinese Locky version has are that it uses directly a .html file that leads to the payment page which advertises the “Locky Decryptor” and how to access it’s unique web page via the Onion anonymous network. At this stage, it is not clear whether Locky uses the .odin file extension, which is it’s the latest version or uses another file extension instead. News broke out that the virus uses custom file extensions for different instances. File extensions, like .COM, .BIN, .CPL have been spotted out in the wild to be associated with Locky according to researchers as well as many others.

Whatever the case may be, the malware exhibits the same behavior as Locky. It’s recent reports by malware researchers indicate that Locky’s latest variants spread it via .RAR files that contain .js (JavaScript) attachments pretending to be legitimate documents, indicating the virus’s PayLoad is downloaded via malicious JavaScript.

For starters, after infection, the typical Locky behavior is exhibited. The malware changes the wallpaper of the infected computer with the same typical Locky ransom note, only in Chinese:


After this has been done, Locky is also pre-configured to drop a ransom note type of file that is called “_HOWDO_text.html” and unlike the .txt files used in some previous versions of the virus, this instance of Locky uses a .html document to display the same (or similar ransom note):


If you follow the instructions in the ransom note, they lead to a Chinese-based website which, just like Bart Ransomware and Zepto Ransomware advertises Locky Decryptor and how to make a payment to receive it and restore the encrypted files:


More to it than that, the Locky Decryptor tor web page also has support for many other languages, indicating that there may be multiple versions of this ransomware virus specifically designed for every country it attacks:


All of these are strong arguments that Locky is not spread by a single hacking group, but is instead advertised to third-party individuals or groups who help spread it massively all around the world.

What Is The Current Situation With Locky

Malware researchers continue to unite and spread the word about Locky ransomware’s development across research communities. One indicator for that is the newly released LockyDump tool that is open source and assists malware researchers in looking deeper into Locky.

Unfortunately, at this point, there is no free decryption available, but in case your computer has been infected by Locky Ransomware, experts recommend to immediately eliminate this virus from the infected computer and wait for a decryptor. One method to eliminate it is if you follow our removal instructions below. They also include some alternative methods which you may want to try if you wish to attempt to restore your files by yourself. Bear in mind that these methods are not 100 percent effective and you should backup your encrypted files before trying them and of course, use them at your risk.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share