December 07, 2016
The infamous Locky ransomware has once again switched to a new extension to append to encrypted files, but reverted to malicious Office documents for distribution, security researchers have discovered.
The latest Locky variant is appending the .osiris extension to encrypted files, marking a switch from the Norse mythology to Egyptian mythology. The change comes only a couple of weeks after Locky was seen using the .aesir extension.
The ransomware has switched between numerous extensions since its initial appearance in February, when it was appending .locky to encrypted files. Some of the best known other variants spotted thus far include Zepto, Odin and Thor.
Also interesting about the new Locky variant is the use of malicious Excel documents for distribution. Attached to spam emails pretending to be invoices, these documents are hidden inside Zip archives. They contain macros that, once enabled, download and install Locky onto the victim’s computer.
As soon as the user opens the Excel spreadsheet, a blank sheet is displayed and the user is prompted to enable macro to view the content. The name of the sheet is “Лист1”, which in Ukrainian means “Sheet1.” According to BleepingComputer, this could be a clear indicator that Locky’s developer is from Ukraine.
As soon as the victim enables the malicious macros, a VBA macro will download a DLL (Dynamic-link library) file and load it using Windows’ legitimate Rundll32.exe program. The downloaded file (which is saved in the %Temp% folder) doesn’t show the DLL extension because it has been renamed, but it will work as any such library was intended to work.
This behavior has been associated with Locky before, especially since the ransomware was seen spreading via DLL files earlier this year, but isn’t limited to this malware family alone. In the case of this Locky variant, the DLL name and the export used to install the threat might vary from one infection to another, researchers say.
Once installed on the victim’s computer, however, Locky would behave the same as before: it would search the local drives and network shares for files to encrypt. The ransomware would rename the encrypted files and also appends the .osiris extension to them.
As soon as the encryption process has been completed, Locky drops a ransom note to inform the victim on what happened to their files. The ransom note’s name has been specifically tailored for the new OSIRIS variant, the researchers say.
To stay protected, users should avoid downloading attachments coming from sources they don’t recognize. They should also pay attention to macro-enabled documents, as they often hide malware. Installing an anti-malware solution and keeping it updated at all times should also help prevent infections from happening.