A new Locky campaign has been discovered which is being distributed through fake ISP complaint e-mails stating that spam has been detected from the computer. These emails contain a subject of Spam mailout and contain a zip attachment with a name like logs_[target_name].zip. Inside this ZIP file is a JS file that when opened will download and execute the Locky ransomware.
An encrypted DLL will be downloaded after the attachment is executed which will decrypt into %Temp% folder of the machine. This DLL file will then be executed using the legitimate WINDOWS program called Rundll32.exe in order to install Locky on the computer.
Once Locky installed onto the computer, it will scan the system for certain file types and encrypt them after which a ransom note will be displayed providing information on how to pay the ransom.
Security researcher, Derek Knight discovered that Locky had also changed the extension for encrypted files to .AESIR from Thor extension. The infection also creates an updated set of ransom notes named “([random_number])-INSTRUCTION.html” and “([random_number])-INSTRUCTION.bmp” to provide victims with a data decryption walkthrough.
The .Aesir Locky Ransomware is one of the newest active strains that is believed to be a part of the Locky malware family and it is still under investigation.
The filename tweaking principle is exactly the same as before: the ransom Trojan still replaces the original values with 5 groups of hexadecimal characters, the number thereof amounting to 32.
This ransomware can be removed with the help of an anti-malware tool or manually, though the latter would be difficult for many users who do not have enough computer knowledge.
It is not possible to decrypt the files but maintaining a backup can prove useful.