Locky returns: the new variant called Diablo6 spreads via malspam

Locky comes back with a new version on August

On August 9th security researcher discovered^[1] the new variant of the infamous Locky ransomware actively spreading via malicious spam emails – Diablo6 ransomware virus. Malware executable is being distributed in the form of ZIP archive that contains a VBS script.^[2] The email itself only includes three words: “Files attached. Thanks.”

The subject line of the infected email has the similar title as the attached archive. It includes letter E, date, random numbers and .doc x file attachment. Therefore, the name might look like “E 2017-08-10 (123).docx.”^[3]

Opening this file leads to the installation and execution of malware payload. Since then all the targeted files are encrypted with RSA and AES ciphers, renamed and locked with .diablo6 file extension.

The specifications of the Diablo6 ransomware

The malicious payload is downloaded to %Temp% directory. However, the downloader is deleted as soon as data encryption is over.

Diablo6 uses the same combination of the RSA-2048 and AES-128 ciphers to encrypt various files on the affected computer. However, malware not only appends the .diablo6 file extension but also rename files with the string of 32 random characters:

[first 8 characters of victim’s ID]-[next 4 characters of victim’s ID]-[next 4 characters of victim’s ID]-[4 random characters]-[12 random characters].diablo6

When malware takes all the files to the hostage, it changes computer’s desktop’s image with diablo6.bmp file and delivers a ransom note called diablo6-[random characters].htm. Both of them inform that data recovery requires paying the ransom.

The new variant of Locky demands 1,600 USD in Bitcoins

The new background picture and the ransom note tells that only Locky Decrypter can recover files having .diablo6 extension. In order to use it, victims are asked to pay 0.49 Bitcoins that equals to 1,600 USD. Is this some of the money worth it? We do not think so.

Ransomware is an illegal money making machine, so you should not give your money to crooks and in the near future experience another Locky attack.^[4] Undoubtedly, the success of the previous creations inspires hackers to continue their job.

Therefore, you should be prepared for the another world wide attack. It’s time to update your backups or finally create them!^[5] However, if you have already suffered from the ransomware, we advise to get rid of it ASAP, try alternative recovery methods, and hope that the official free decryptor will be released soon.