Locky ransomware has a new version. That is very likely to be an answer to the new Cerber ransomware variant and to keep up the rivalry between the two cryptoviruses. Also, some of the spam emails will be made to look like buy orders from well-known companies such as an Amazon and may be related to the upcoming Black Friday and Cyber Monday. Your files become encrypted with a new extension .zzzzz. The new string of this virus uses a .js file for its payload, but it seems to lack a C&C (Command and Control) server, according to researchers. To see how to remove the ransomware and how you can try to restore your files, carefully read the whole article.
|Short Description||The ransomware encrypts your data and then displays a ransom message with instructions for payment.|
|Symptoms||Encrypted files will have the .zzzzz extension appended to them.|
|Distribution Method||Spam Emails, Email Attachments, .js files|
|Detection Tool|| See If Your System Has Been Affected by Locky Ransomware |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Locky Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Locky Ransomware – Infection Spread
The newest version of the Locky ransomware relies on traditional methods for spreading its infection. The cryptovirus uses a spam e-mail campaign that is mainly distributing spoof e-mails of popular sale websites. The body of one such email can be seen below:
Mainly companies such as Royal Mail, FedEx, and DHL Express are mentioned as couriers for delivering an order that you or your place of business supposedly made. There is a name of a sender and an email that look like they are related to a company or business, and a subject named “Order #34342123” (where the numbers are random).
More sets of e-mails are being spread as well. These emails are quite short and state the following:
Dear [your name], our HR Department told us they haven’t received the receipt you’d promised to send them. Fines may apply from the third party. We are sending you the details in the attachment.
Please check it out when possible.
No matter what the e-mail body is, an attachment is always present with the electronic letter. The attachment is an archive file, most often being .zip and that archive contains a .js payload file. The script is malicious and once executed will infect you with Locky ransomware. In some countries the .aesir extension of Locky is still seen as the result from loading the payload file. You can see an example of detections for the newest .zzzzz extension on the VirusTotal website below:
It seems that the .js file loads the Trojan downloader known as Nemucod. Countries which are affected are the United States, Canada, Taiwan, Vietnam, South Africa according to malware researchers from the MalwareHunterTeam. More countries are targeted but they may get the extension .aesir.
Locky ransomware is also spread around social media sites like Facebook. Avoid all suspicious or unknown links, attachments or files as a general rule of thumb. Before opening any file, always perform a check with a security program. You should read the ransomware prevention tips in our forum to learn about more methods about fighting such threats.
Locky Ransomware – Detailed Analysis
Locky ransomware has been released with a new version with a different extension – .zzzzz. The previous version was released only a few days ago and still being distributed simultaneously as the newest string of the virus that emerged earlier today. Emails containing an archive file called order_[your name].zip which contains the malicious .js script. Some of the download locations can be viewed right here:
Do not open these links, as they contain malware – this is purely for informing about known download URLs.
This version of Locky that uses the .zzzzz extension after encryption, does not use C&C (Command and Control) servers, but a .tdb file for its entry point, according to malware researchers.
After executing the payload, your files will be encrypted, and a ransom note will be displayed on your desktop. A copy of the note with the payment instructions will be made in files with the name _1-INSTRUCTION.html.
The ransom note with instructions is set as your desktop background, and it is the same as past iterations:
The text reads the following:
!!! IMPORTANT INFORMATION !!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
Decrypting of your files is only possible with the private key and decrypt program, All which is on our secret server.
To receive your private key follow one of the links:
1. [Redacted] 2. [Redacted] If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: [Redacted] 4. Follow the instructions on the site.
!!! Your personal identification ID: [Redacted] !!!
In .html loaded in a browser it will look like this:
The Locky cryptovirus will link you to a network domain hidden with the TOR service. The asked price for decryption is 0.5 Bitcoins which amounts to nearly 370 US dollars. The service looks exactly like the one of its predecessors as you can see below:
The Locky ransomware is nowhere close to being beaten, as its encryption is strong and researchers have not reported having found flaws in its code. Previous Locky ransomware victims have reported that they had no success in recovering their files after paying the ransom money to the cybercriminals. So, there is no reason for you contacting the crooks or paying them. To this moment we only see that the malware creators continue to develop new versions of their ransomware and will continue doing so.
Malware researchers have confirmed that the extensions from the previous variant of Locky are sought to get encrypted in this one as well. The list includes more than 450 file extensions:
→.001, .002, .003, .004, .005, .006, .007, .008, .009, .010, .011, .123, .1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .602, .7z, .7zip, .ARC, .CSV, .DOC, .DOT, .MYD, .MYI, .NEF, .PAQ, .PPT, .RTF, .SQLITE3, .SQLITEDB, .XLS, .aac, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .adp, .ads, .aes, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .asc, .asf, .asm, .asp, .aspx, .asset, .asx, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bat, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .brd, .bsa, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cgm, .cib, .class, .cls, .cmd, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .csr, .css, .csv, .d3dbsp, .dac, .das, .dat, .db, .db3, .db_journal, .dbf, .dbx, .dc2, .dch, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .dif, .dip, .dit, .djv, .djvu, .dng, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flf, .flv, .flvv, .forge, .fpx, .frm, .fxg, .gif, .gpg, .gray, .grey, .groups, .gry, .gz, .hbk, .hdd, .hpp, .html, .hwp, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lay, .lay6, .lbf, .ldf, .lit, .litemod, .litesql, .log, .ltx, .lua, .m2ts, .m3u, .m4a, .m4p, .m4u, .m4v, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw, .mid, .mkv, .mlb, .mml, .mmw, .mny, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw, .ms11, .msg, .myd, .n64, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .onetoc2, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .r3d, .raf, .rar, .rat, .raw, .rb, .rdb, .re4, .rm, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sch, .sd0, .sda, .sdf, .sh, .sldm, .sldx, .slk, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stm, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tar, .tar.bz2, .tbk, .tex, .tga, .tgz, .thm, .tif, .tiff, .tlg, .txt, .uop, .uot, .upk, .vb, .vbox, .vbs, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .wab, .wad, .wallet, .wav, .wb2, .wk1, .wks, .wma, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlc, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .ycbcra, .yuv, .zip
Encrypted files will have the .zzzzz extension appended to them, replacing their original one. The encryption algorithm that is claimed to be used by Locky is RSA-2048 with AES 128-bit ciphers.
This latest version of Locky ransomware is highly likely to delete the Shadow Volume Copies on the Windows operating system with the following command:
→vssadmin.exe delete shadows /all /Quiet
Read further to see how to remove this ransomware and to see what methods you can try to decrypt some of your files.
Remove Locky Ransomware and Restore .zzzzz Files
If your computer got infected with the Locky ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Locky Ransomware.