Locky Ransomware Renames Encrypted Files with Lukitus Extension

An extremely efficacious ransomware family is back yet again as it runs one fresh spam campaign crafted for contaminating end-users with the malicious software that encrypts files. The software namely Locky was among the former most prominent ransomware strains that became successful worldwide, whilst once it spread like an extremely common type of malicious program.

Reportedly according to Derek Knight, the Locky strain is presently getting disseminated through spam mails bearing subject lines such as "Emailing- CSI-034183_MB_S_7727518b6bab2 or "< No Subject >," while carry rar else zip files attached with Java Script documents. Executing the Java Script files results in Locky getting downloaded from certain website running elsewhere.

And following downloading and execution of Locky, the malware scrutinizes the infected PC to find its stored files which it then encrypts. After encrypting it even changes the file-name to have the .lukitus extension. And while giving the files a new name, Locky utilizes a format such as [first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]- [4_hexadecimal_chars]-[12_hexadecimal_chars].lukitus, implying any file having the name 1.png would have Locky encrypt it and give it a file-name something like E87091F1-D24A-922B-00F6B112-72BB7EA6EADF.lukitus.

Subsequently, once the ransomware completes encrypting the PC, it'll eliminate the pulled down executable followed with exhibiting the ransom note giving details about the way for paying the ransom. The current Locky version's ransom note names are lukitus.bmp and lukitus.htm. Bleepingcomputer.com posted this, August 16, 2017.

The said dual old ransomware samples have started reappearing, now in stronger as well as more destructive versions like never before. Conversely, the other sample happens to be one fresh variant of the EV ransomware.

Attacks involving ransom software are useful for cyber-criminals because they reap lots of money with very little effort. Hence, probably when Jaff that insisted on a $4,000 ransom payment while utilized one decryptor nearly same as of Locky became easy to crack by cyber-security experts, the crooks responsible for it now like before employ Locky.

And whilst Locky perpetrators are still to be recognized, it is security researchers' observation that Locky would erase itself from contaminated systems should Russian be the language of the locality, perhaps indicating the developers' geographic position.

» SPAMfighter News - 8/22/2017