Even though Locky’s operators were silent for some time, there has never been any doubt that they would be back, with a new massively spread spam campaign.
It’s September, people are back from vacations, and so is Locky ransomware, slightly upgraded, appending a new file extension to encrypted files. Dubbed the .Ykcol Locky iteration and .Ykcol file virus, the name of the extension is nothing but “Locky” spelled backwards. Other changes in this variant of the infamous ransomware include the infection method, the ransom note, and the amount of the ransom.
This time around, the victim is asked to pay 0.25 Bitcoin, or approximately 985 USD in exchange for their files’ decryption. However, one thing hasn’t changes, and it’s the golden advice to never trust cybercriminals. Paying the ransom not only supports cybercrime but it also doesn’t guarantee anything. The victim will most likely lose their files and their money. Instead, the best thing to do here is invest in proper back up and anti-malware solutions.
How does the .Ykcol iteration spread? Simply said, the user’s system can be infected by just opening an email attachment.
The .Ykcol iteration of Locky is being distributed in a massive e-mail spam campaign. Users can easily recognize it is a malicious email by inspecting the subject line which says“Status of invoice”. Unexpected emails containing this type of documents, especially when sent by unknown entities, are a clear indication of malicious intentions.
Researchers were able to determine that such a spam email contains a .7z or a .7zip file attached. The latter contains a VBS script, which upon execution downloads the malicious payload. The payload will then be automatically executed, leading to a successful infection and file encryption.
As for the encryption algorithm, Locky operators claim in all ransom notes that they use RSA-2048 with AES 128-bit ciphers. This means that a file will be renamed and its extension will be changed, and as a result it will look something like that – 7d0f1033-1bgy-Hja224b-791ea9d1-80e2bb7af.ykcol. The length will always be the same, due to the way the ransomware has been coded.
What should victims do?
In case of an infection with the latest iteration of Locky – the .Ykcol one – removing the ransomware from the system is the first thing to be done, so that it’s propagation to other computer systems is stopped.
In terms of file encryption, victims may try and restore some of their encrypted data with the help of data recovery software. Unfortunately, there is no guarantee such attempts will be deemed successful.
Also, users should not underestimate the importance of having their machines fully patched and equipped with security solutions. After all, winter is coming, and hackers will become more active with the upcoming winter holidays.
Author Bio: Milena Dimitrova is an inspired writer for SensorsTechForum.com who enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malicious software, she strongly believes that passwords should be changed more often than opinions. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!
Milena Dimitrova is a guest blogger, all opinions are her own.
