The ransomware that is a mystery wrapped in an enigma inside a riddle for malware researchers has been released in yet another variant. The latest Locky ransomware does not cheat on its roots and uses the .aesir file extension – the name of the old Norse god Æsir, similar to its other iterations – .thor, .locky and .odin. The ransomware has significantly improved its distribution capabilities and can affect even a higher number of users than its previous version. Users who have been infected by this ransom virus, should not follow the instructions set as their wallpaper and not pay any ransom amount requested by cyber-criminals. Instead, we suggest you read this article to become familiar with Locky ransomware and learn how to remove it, backup your files and try to restore them for free.
Image Source:http://vignette3.wikia.nocookie.net
Threat Summary
| Name | Aesir Locky |
| Type | Ransomware, File-Encryption Malware |
| Short Description | The Locky .aesir malware iteration encrypts users files and uses a strong combination of AES and RSA ciphers to encrypt the files on the compromised computer asking the user to pay ransom in Bitcoin to get them back. |
| Symptoms | The user infected by the Aesir Locky variant may witness ransom notes and “instructions” in a text file and as the typical Grey/Pink Locky wallpaper. Locky advertises it’s uniquely made decryptor for the specific infected machine on an online Tor-based web page linked in those instructions. |
| Distribution Method | Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner. |
| Detection Tool | See If Your System Has Been Affected by Aesir Locky Download Malware Removal Tool |
| User Experience | Join our forum to Discuss Aesir Locky. |
| Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
.aesir Extension Locky Ransomware – More Information About It
First, before encrypting the files, this iteration of the Locky virus has to cause the infection first. This is performed by using a combination of sophisticated tools that allow the malware to spread and infect without the user noticing.
.Aesir Ransomware – Distribution and Infection
The first method by which Locky ransomware’s Aesir variant was discovered was a spam message which contained a malicious e-mail attachment as a .zip archive, named “logs_{random-id}.zip”. The contents of the e-mail were the following:
“Dear {First Name},
We’ve been receiving spam mailout from your address recently. Contents and logging of such messages are in the attachment.
Please look into it and contact us.
Best Regards,
Edith Hancock
ISP Support Tel.: (840) 414-21-61”
Source:Twitter.com
After the user opens the zip file, he will discover a malicious .js JavaScript file which is with a completely random A-Z, 0-9 name, such as the following:
After the user opens the JavaScript file, the .aesir version of Locky malware connects to a C2 server from one of the many distribution sites of Locky:
After this, the malware downloads a .dll file, again with random names in the %Temp% folder, where more files can be dropped. Not only this, but the Aesir Locky malware also drops an “information.cgi” file in it’s POST traffic, most likely containing a variant of it’s ransom note.
Another scenario of infection by this iteration of Locky ransomware has been reported to be via the social media giant Facebook. Malware researcher Catalin Cimpanu has reported at Bleeping Computer that the Locky has begun to spread over spam messages of malicious .svg files sent directly to the user from suspicious accounts. Spam messages, like Photo_2311.svg being directly sent, are not photos, and users are warned not to open them, since they contain the notorious Nemucod downloader used with Nemucod ransomware and may infect your computer with Locky.
Locky .aesir Extension Ransomware – Post-Infection Activity
Similar to the previous .shit, Locky variant, this type of ransomware uses javascript files and may also use .hta files for the infection. After this infection is caused, the malware may begin to execute the encryption procedure.
This procedure alters the core structure of a given file, rendering it to be no longer openable and the AES (Advanced Encryption Standard) encryption algorithm may be applied to do so. Once this algorithm is applied, the file becomes no longer openable and it’s core code looks like the following example:
After the encryption itself, the encrypted files, which are audio files, videos, pictures, databases, documents and other widely used files appear in a non-icon form with changed names and the .aesir file extension:
After the encryption process has completed, the Aesir version of Locky changes the wallpaper with the same language as it has detected based on the installed Windows:
This wallpaper leads to a web-page of Locky Decryptor which requests from users to convert money in BitCoin and make a ransom payoff to download the tailor made for them decryptor:
Locky Aesir Ransomware – Conclusion, Remove, and Restore Files
As a bottom line, this variant of Locky has numerous developments when it comes to it’s spreading, now supporting the ability to infect via malicious browser extensions, Facebook .svg files and new malicious JavaScript. Until experts manage to come up with a solution for Locky ransomware, advises are to remove all the Locky variants from your computer:
- .shit Locky Iteration(see link in article above).
- .thor Locky virus.
- .locky Ransomware.
- .odin Locky iteration.
- .zepto Variant of Locky.
To remove the .aesir Locky variant, we urge you to first backup all the encrypted files because the ransomware uses a combination of AES and RSA ciphers and has developed a unique key for each file and tampering directly with the virus may break the files indefinitely. This is why we recommend if you do not have the experience to follow the Automatic instructions for removal below.
Regarding file decryption, the only reason malware researchers haven’t broken locky so far is that the virus uses a custom programmed decryptor that corresponds to a unique key for each infection. This makes discovering a common decryptor a very difficult task. However, you may want to try and use our alternative solution methods in step “2. Restore files encrypted by Aesir Locky” below. They are not fully effective but they may help restore at least some of your files since the malware may not have deleted them fully.
