Locky virus gains “Asasin” nickname

The virus switches to new disguise

Locky developers proceed with IKARUSdilapidated^[1] campaign and released a new version of Locky which appends a different extension – .asasin. Like its predecessors – Lukitus and Ykcol – the ransomware^[2] keep relying on spam campaigns. Now the malware comes in “Document invoice_95649_sign_and_return.pdf is complete” emails. Let us look through what is already known about this version.

Locky distributors messed up

It seems that the latest version has been launched by non-native English speakers as they obviously did not pay attention to the aesthetics. On the other hand, the virus maintains an aggressive attitude as usual – it encodes the files. Unfortunately, since the emergence of the original virus last year, there is still no viable decryption software released.

Besides the new extension, this time the distributors made a fatal mistake in attaching the malicious attachment properly. The devs placed a broken link of .7z folder as it appears as a block of encoded text.

If the attachment was set up properly, it would possess a VBS script which would download the executable of the ransomware from a remote web page and activate it. This time, the perpetrators disguise under the name of a legitimate service RightSignature. The malicious emails are supposedly sent from documents@rightsignature.com.

Usual behavior

Later on, the virus behaves usually. After completing the encryption procedure, names of the affected data are changed into [first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].asasin extensions^[3].

Additionally, the malware drops asasin.htm and asasin.bmp files. They display the same information as other versions of the notorious virus. The following page of asasin.htm directs users to Locky Decrypter page. At the moment, the felons demand 0.25 BTC. Though the previous extension required such amount of ransomware in the beginning, later on, it raised the ransom up to 0.5 BTC.

Locky prevention measures

Neither of the ransomware versions is decryptable. Nonetheless, paying the ransom might turn out into a futile option. Bear in mind that Locky authors have picked up a habit to disguise under the names of legitimate companies.

If you are indeed waiting for a response from an official institution, inquire them again whether the attachment is genuine. Otherwise, it may be a label for one of the most troublesome ransomware in the cyberspace history.