Locky Ransomware switches to THOR Extension after being a Bad Malware; New variants of Locky are being released at a rapid rate lately. Yesterday, we had a new variant that appends the .SH*T extension to encrypted files and today they switched to using the .THOR extension. Maybe Locky had its mouth washed out with soap for cursing? Regardless of the reasons for the switch, I am happy as I won't have posts with curse words all over the forums.
The Thor Locky variant being distributed via SPAM Campaigns
This new variant is currently being distributed through a variety of SPAM campaigns with VBS, JS, and other attachments. One SPAM campaign that I have seen has a subject line of Budget forecast and contains a ZIP attachment called budget_xls_[random_chars].zip.
Locky continues to use a DLL Installer
When the Locky SPAM attachments are executed, they will download an encrypted DLL, decrypt it on the victim's computer, and then execute it using Rundll32.exe to encrypt a victim's files.
C:\Windows\SysWOW64\rundll32.exe %Temp%\MWGUBR~1.dll,EnhancedStoragePasswordConfig 147It is not possible to decrypt the Locky Ransomware Thor Variant
Unfortunately, there is still no realistic way to decrypt the Locky Ransomware regardless of the extension.At this time the only way to recover encrypted files is via a backup, or if you are incredibly lucky, through Shadow Volume Copies. Though Locky does attempt to remove Shadow Volume Copies, in rare cases ransomware infections fail to do so for whatever reason. Due to this, if you do not have a viable backup, I always suggest people try as a last resort to restore encrypted files from Shadow Volume Copies as well.
Source : http://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-thor-extension-after-being-a-bad-malware/
No comments:
Post a Comment