Ransomware Switches Extension

Friday, December 9, 2016 @ 04:12 PM gHale

Locky ransomware switched to a new extension to append to encrypted files, researchers said.

The new extension is .osiris, which is a pretty quick change from two weeks ago when it was using the .aesir extension, according to a report from R0bert R0senb0rg.

Agile Botnet Shifts to New Ransomware
SF Metro Victim of Ransomware
Ransomware Decryptor Releases
New Ransomware Versions Release

This is at least the third extension switch as the ransomware used .locky when researchers first discovered it back in February.

This new version is also using malicious Excel documents for distribution. Attached to spam emails pretending to be invoices, these documents end up concealed inside Zip archives. They contain macros that, once enabled, download and install Locky onto the victim’s computer.

As soon as the user opens the Excel spreadsheet, a blank sheet is displayed and the user is prompted to enable macro to view the content. The name of the sheet is “Лист1”, which in Ukrainian means “Sheet1.” This could be a clear indicator Locky’s developer is from Ukraine, said BleepingComputer researchers.

As soon as the victim enables the malicious macros, a VBA macro will download a DLL (Dynamic-link library) file and load it using Windows’ legitimate Rundll32.exe program. The downloaded file (which is saved in the %Temp% folder) doesn’t show the DLL extension because it has been renamed, but it will work as any such library was intended to work.

Locky showed this behavior before. One case is when the ransomware spread via DLL files earlier this year. In this case, the DLL name and the export used to install the threat might vary from one infection to another, researchers said.

Once installed on the victim’s computer, however, Locky would behave the same as before: It would search the local drives and network shares for files to encrypt. The ransomware would rename the encrypted files and also appends the .osiris extension to them.

As soon as the encryption process has been completed, Locky drops a ransom note to inform the victim on what happened to their files. The ransom note’s name has been specifically tailored for the new OSIRIS variant, the researchers said.

Leave a Reply

You must be logged in to post a comment.