A new variant of the Locky ransomware has recently been seen in the wild. According to a report by Malwarebytes Labs from August 9, Locky was using a new file extension called ".diablo6". But more recently, it sported a new ".lukitus" extension as part of a new campaign.
The malware is distributed by the usual method: spam emails. These messages will usually come with an attached Microsoft Office file or a ZIP attachment, which both contain malicious scripts. Once the file has been downloaded an executed, it will start to encrypt the host computer's files.
It will even take the time to scramble file names, making it hard to determine which is which. Finally, it will append a ".lukitus" extension to all infected files. The downloaded program will disappear, and will be replaced by a file containing the ransom note. Locky currently demands 0.49 Bitcoins, which is equal to roughly $2,200.
Unfortunately, there is no known method to decrypt files infected by this variant of the Locky ransomware. It helps to have an offline backup of files, or you can try restoring encrypted files from Shadow Volume Copies. However, as BleepingComputer puts it, Locky also attempts to delete these snapshots.
All things considered, it helps to be careful when opening email attachments, especially when they seem to not be of our concern in any way. Keeping antivirus software updated will also help block these rapidly evolving malware in the future.
Source: Malwarebytes Labs, BleepingComputer
3 Comments - Add comment