After a two week break that saw few Locky ransomware attacks, the Cisco Talos research team discovered a new variety that sports a scatologically named extension for the encrypted files and another reference that insults Linux.
Talos researchers Warren Mercer and Edmund Brumaghin found the cybercriminals using a .sh** extension in the three distinct ransomware campaigns they spied using the new Locky variant. There were two other changes spotted in Locky:
- URL path used to for C2 has changed to /linuxsucks.php
- The file containing the ransom note is now named “_WHAT_is.html
The reason behind the odd extension name is not indicative of any particular motivation other than the creators had to name it something.
“They change the extension occasionally to avoid very simplistic detection techniques, combine that with immaturity and we end up with .sh** extensions,” Craig Williams, senior technical leader and global outreach manager at Cisco Talos, told SCMagazine.com in an email.
The three campaigns studied by Talos also included a few new twists.
The first, spotted on October 24, contained emails attempting to leverage malicious .HTA files as malware downloaders. The emails claim to contain a receipt with the file name “Receipt XXXXX-XXXXXX.hta”, an HTML executable file format, which is housed in a .ZIP attachment. When the .ZIP is opened the .HTA attachment downloads the Locky ransomware. Another odd, or perhaps simply seasonal, addition to this campaign is the inclusion of the word “pumpkin” as part of the obfuscation of the .HTA downloader. Talos found 37 separate incidents of the word being used.
Williams said these changes do not make Locky any more effective per se, but are more of a regular tune-up to keep the ransomware useful and capable of evading poor detection techniques.