Quick Heal Security Labs is observing the infamous Locky ransomware outbreak which kicked off recently in the last week of September. The outbreak started with spam email with various subjects and different attachment names. On 26th September, spam campaign delivering a new variant of Locky ransomware started. The observed commonality in this campaign was the attachments ended with ‘.7z’ extension. After 26th September, we started seeing many such instances and soon it turned out to be a major outbreak. Let’s take a look at some of the important aspects of this campaign.
A typical infection chain starts with spam email. Below is one such spam email used in this campaign,
Fig 1: Spam e-mail with malicious ‘Invoice’ as an attachment
Few subject names and attachment observed are,
- Invoice PIS7316453
As it can be seen from above, the subject names and attachments are different in every spam e-mail. This is generally done by attackers in order to evade the detection by security products.
The common thing between these emails is the attachments with .7z extensions which contains the malicious VBS file which downloads and launches the ransomware payload.
This variant is almost identical with the other Locky ransomware variants functionality wise with the only exception of the extension used by it for encrypted files. The extension used this time turned out to be an interesting one. It just reversed the previous well-known extension ‘.locky’ to ‘.ykcol’. Below is the screen-shot of the Locky ransom screen.
Fig 2: Locky Ransom screen
Also below HTML file with the same messages is dropped on the root of every drive.
Fig 3: Locky ransom HTML message
Currently there is no decryptor available for any of the Locky ransomware encrypted files and this new version of Locky is no exception to it.
Quick Heal & Seqrite protects against this outbreak of Locky ransomware through its multi-layered security offering.
Indicator of Compromise
Subject Matter Experts
Shalaka Patil|Swapnil Nigade|Shriram Munde
Quick Heal Security Labs