SAT News: The Return of Locky Ransomware

SAT news Return of Locky Ransomware

Once considered the largest distributed ransomware, Locky is back with a malware spam campaign that contains a new variant. This newly discovered variant is distributed through spam emails that contain the subject line in the following format: "E [date] (random_number).docx"

Example subject line:

E 2017-08-10 (934).docx

The message body of these malicious emails reads "Files attached. Thanks."

The attachment contained in the email is a .zip file with a title that matches the subject line, containing a VBS downloader script. This script incorporates one or more URLs used to download the Locky.exe to the %Temp% folder and run the malware.

After Locky has been executed, it will scan for files and encrypt them, renaming the files with hexadecimal characters and appending the ".diablo6" file extension.

Once the malware has completed the encryption process, it deletes the Locky executable and displays a ransom note with instructions for paying the demanded fee in Bitcoin. For this new version, the name of the ransom note is "diablo6-[random character string].htm. Currently, the ransom is set to .49 Bitcoin, which equates to about $1,600 at the current BTC values.

There is no alternative decryptor available at this time.

For more information on how to keep your information safe from ransomware, click here.

Nuspire Insights

Nuspire Infographic

Contact Us


Nuspire Infographic

Contact Us