In this new Tales from Ransomwhere we discovered the tricks of one of the most infamous families in the landscape of the ransomware: Locky .

Recently (our colleagues from Avira reported it in July) they added a new feature, it includes an offline mode so it is able to encrypt files when the connection to the server is not available. The weak point is that this key is the same for every computer which files are encrypted, that’s why this is just something that is performed when for some reason the C&C server is unavailable.

On top of this now they have changed the way they infect computers. Usually these attacks rely on a small downloader Trojan who downloads and executes the ransomware. For example, when the attack comes from a javascript file, this usually downloads a small executable which only function is to get the ransomware and execute it. As I have explained in previous articles, cybercriminals are all the time making small changes trying to avoid detection from security solutions.

Distribution of new attack

In this case the attack is being distributed through email, we have seen a number of them with a zip file that has a javascript file inside named “utility_bills_copies <random characters>.js”. However there are different versions using different subjects and file types, for example this one:

ransomware panda security


Which inside has the following file:

ransomware zip


They have skipped the downloader Trojan part and the script gets the Locky variant in DLL format (with the downloader in most cases the downloaded file was an EXE), which is executed using Windows rundll32.exe. The first sighting of this was on August 22nd, and so far they keep using the same strategy. As you can see they are launching one wave per week:

Ransomware analytics

The most severely affected territories

We have seen just a few hundred infection attempts mainly in North and South America and Europe, although there are some in Africa and Asia too. In case they get a good return of investment we’ll probably see an increase in the next weeks. Here you can find a few hashes of this Locky variant:

ransomware_list3 (3)