A new analysis of Locky ransomware configurations by German IT security firm Avira has revealed improved offline capabilities that enhance its ability to automatically encrypt victims' files, without interaction with a command-and-control server.
Configurations observed in previous versions of Locky contained some C&C URLs in addition to a parameter for domain generation algorithms used to create additional URLs. However, the new code has eliminated this, allowing the malware to operate more stealthily while reducing infrastructure support costs. “By minimizing their code's online activities, they don't have to pay for so many servers and domains anymore,” said Moritz Kroll, malware specialist at Avira Protection Labs, according to an Avira blog post last week.
Avira first reported in July that Locky added offline encryption tactics. Earlier this month, security researcher Timothy Davies noted a new Locky update featuring an RSA key embedded within the ransomware's code.