Locky Ransomware Drops Offline Mode

Oct 03, 2016 | 1:47 pm

Published by | Chandan Singh

locky-ransomware-drops-offline-mode-cyberops

Locky, one of the most prolific ransomware families this year, has changed the mod operand once again by adopting a new extension that is appended to encrypted files.

Initially observed in February, when it stood out since it could encrypt files on unmap network shares, Locky was formerly renaming the encrypted files to [unique_id][identifier].locky. In the beginning of summer time, researchers revealed that Locky switched to the .zepto extension, which has recently been used in multiple promotions since.

Now, Locky is appending the. ODIN file format to encrypted files, which is bound to create some confusion, as patients might believe they have been infected with a brand new ransomware version. However, Bleeping Computer’s Lawrence Abrams notes this is not the Odin ransomware, but the well-known Locky, which is using the. ODIN file format rather than .zepto.

Just as before, the new malware version is distributed via spam emails containing screenplay files as attachments. Once the recipient opens the attachment, the malicious code during these script documents downloads an encrypted DLL installer, and after that it decrypt and executes to invade the system with Locky.

Once executed, the ransomware encrypts user’s files, renames them, and appends the. ODIN extension. Then, the malware drops ransom records on the system to tell the user on the attack. In this new variant, what they are called of the ransom notes have been transformed to _HOWDO_text.html, _HOWDO_text.bmp, and _[2_digit_number]_HOWDO_text.html.

Recently, Locky also returned to the use of a control and control (C&C) machine, after switching to an offline mode back in mid-July. At the time, the change made it more difficult for this admins and security researchers to stop Locky infections, because blocking its C&C contacts no longer had the desired effect.

Now, Avira researchers reveal that the ransomware has switched back again to using C&C web servers, while also saying that only few affiliates continue to use the offline-only mode. While there is info on what exactly decided Locky’s operators to go back the change, Avira clarifies that the use of an offline mode was a two-edged sword for cyber criminals.

“On one hands, by not giving C&C information – and an Internet protocol address – it lets the Locky network keep well concealed from law enforcement and security researchers. But on the other hand, it reduces the feedback the cyber criminals can acquire on the potency of specific Locky distribution campaigns run by their affiliates”, Avira notes.

Source: Securityweek