AhnLab Security Center

Search

Another Variant of Locky Ransomware With a Name of Norse God

12-01-2016

There seems to be an endless parade of Locky variants. The first Locky began by changing infected file extensions to .locky, followed by strains that tack on .zepto, .odin, .shit, .thor; a new variant has been found that uses the extension “.aesir”. only days after the appearance of the last Locky variant that changes the extension of affected files to .thor.  

☞ Read more about Locky ransomware variants here. 


One obvious feature of the latest string of Locky ransomware is that they use names and terms from Nordic mythology. It seems possibly to be connected with the pronunciation of Locky that sounds the same with Loki, the god of mischief and destruction of Norse mythology; Aesir and Thor are the Norse gods dwelling in Asgard. 


Like other Locky ransomware, the new variant’s downloader is distributed in the form of attachments to spam emails. When the downloader in the email is executed, the executable file that actually functions as the malware is downloaded to the infected system.

  

 

Figure 1. Encoded executable file (top) / Decoded file (bottom)

 

The encrypted executable file is created by the downloader in the %Temp% folder. The file is then decrypted and converted into a normal dynamic link library (DLL) file, and injected into the normal Windows process Rundll32.exe.

 



Figure 2. DLL file injected into Rundll32.exe

 


The encryption process does not occur immediately after Rundll32.exe runs but after a certain amount of time has elapsed. Once encryption is complete, a ransom note, an infection alert message, bearing the names -INSTRUCTION.bmp and -INSTRUCTION.html are displayed, and existing files are changed to encrypted files bearing the extension .aesir.

 

 

Figure 3. Ransomware infection notice message


 
Figure 4. New extensions added to encrypted files

 

Spam email used to distribute ransomware often contain subject lines that include such words as “payment” or “receipt” in order to disguise itself as an official email and lure users into clicking the attachment. To prevent such attacks using spam mail as the vector, users should avoid opening email from suspicious sources.​ 

top