New Ransomware Version Available

Monday, August 29, 2016 @ 05:08 PM gHale


A new version of the Locky ransomware is now available and can end up installed disguised as DLL files.

The Locky ransomware continues to evolve. The latest change is an update to how Locky reaches its victims and how the encryption process starts.

RELATED STORIES
Ransomware Decrypters Available
New Ransomware Offers Multiple Versions
Switch in Ransomware Distribution
New Way to Deliver Ransomware

The latest Locky versions drop DLL files on infected computers, instead of EXE files, said researchers at cyber security provider Cyren. The rest of the infection chain remains as we know it.

Locky reaches victims via spam messages that have a ZIP file attached to the email body. Unzipping this ZIP drops a JavaScript file, which when executed downloads the DLL file (instead of the classic EXE).

This file injects into a process, and its malicious code executed, which starts the file encryption operation. Another new feature is this DLL file uses a custom packer to prevent anti-malware scanners to easily detect it.

This version locks files and appends the .zepto extension at the end, meaning this a version of the Zepto ransomware, another name for Locky.