Locky ransomware continues to evolve and has again changed the filename extension used to encrypt files. This time using the file extension “.osiris” on all files it encrypts.
Locky will encrypt image files found on the system leaving them inaccessible unless the ransom is paid to acquire the decryption keys.
Figure 1 – Example of image files
Locky ransomware uses an email lure like the one shown in Figure 2 to get victims to open attachments.
Figure 2 – example of phishing email with Locky downloader attached
After infection, Locky will encrypt files and modify the systems desktop image as well as present an HTML page with ransom demands.
Figure 3 – Locky ransom demand page and .bmp desktop image
Ransomware like Locky is an ever present danger in today’s threat landscape and as seen here, under constant development in order to increase the chances it evades detection and affects more victims.
Josh Gomez is a Senior Security Researcher with over fifteen years experience in the networking and security industries. Prior to Anomali, he was a senior member of FireEye Labs where he specialized in research and detection of exploit kits, malvertising and crimeware campaigns.