The new variant of Locky Ransomware in circulations now.

Malware, Ransomware, Threat

You heard it right, Locky, the most popular ransomware out there, have launched new variant to the wild.

The new ransomware versions released perform slender, yet very interesting, changes that may affect the way they are being detected.

The ever changing Locky ransomware has just released a new variant which implements new evasion techniques and adjusted ransom tariff.

The previous versions of Locky is known for being downloaded as a “.dll” file using JavaScript based downloader.
Although the new variant acts just the same, however, the JavaScript downloader pulls veiled *.TDB file.

Figure: DLL disguised to TDB file. (Courtesy Check Point)
Figure: DLL disguised to TDB file. (Courtesy Check Point)

Researchers at Check Point suspected the man behind Locky probably wished to evade security products that already had “signatures” available for the previous versions.

As in all previous releases, Locky changed the encrypted files extension; this time it has changed to *.zzzzz.

Researchers at Check Point claimed one more behavior change for Locky. This variant demands extortion according to “class and creed” of file and the user.

As in the previous versions, Locky was following a default extortion of 3 Bitcoins.
Now the payment amount may change keeping some factor in mind like the victim’s characteristics, especially number of encrypted files. The lowest amount that has been demanded in labs was 0.5 Bitcoin as claimed by Check Point.