Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Looking for information on JS/Locky.AY!Eldorado


  • Please log in to reply
4 replies to this topic

#1 flashb

flashb

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 06 September 2016 - 05:02 PM

Specifically looking for what this Locky variant names it's files to once encrypted or is this a downloader only? Either way, what things do we need to look for that our Anti-virus/cleaner might miss? 

 

Thank-you for any info you can share. I have looked all over and only found this page with helpful data so far.

https://community.spiceworks.com/topic/1802642-another-huge-virus-outbreak-today?from_forum=216

 

flashb 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,932 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:50 PM

Posted 07 September 2016 - 06:03 AM

JS/Locky.AY!Eldorado appears to be a vendor specific detection name.

Each security vendor uses their own naming conventions to identify various types of malware so it's difficult to determine exactly what has been detected or the nature of the threat without knowing more information about the actually file(s) involved. Names with Generic or Patched are a very broad category. Some vendors also add a modifier or additional information after the name that further describes what type of malware it is.

Names are created for in-the-wild malware which has been released to infect computers, non-wild ("Zoo" viruses and worms) created by labs and anti-virus vendors to test their ability to detect new threats, proof-of-concept viruses created by ethical groups and zero-day malware...all of which can be renamed at any given time. Since there is no universal naming standards, all this leads to confusion by the end user.Any files that are encrypted with Locky Ransomware will be renamed with random alpha-numerical characters and have the .locky extension appended to the end of the encrypted data filename in the following format [unique_id][identifier].locky...(i.e. A65091F1B14A911F0DD0E81ED3029F08.locky). Locky Ransomware will leave a file (ransom note) named _Locky_recover_instructions.txt, _HELP_INSTRUCTIONS.txt.

Any files that are encrypted with the newest Locky Ransomware variant will be renamed with random alpha-numerical characters and utilize the .zepto extension (i.e. 024BCD33-41D1-ACD3-3EEA-84083E322DFA.zepto). This variant will leave a ransom note pattern consisting of _(****)_HELP_instructions.txt/.bmp/.html...(i.e. _6789_HELP_INSTRUCTIONS.txt, _6789_HELP_INSTRUCTIONS.bmp, _6789_HELP_INSTRUCTIONS.html). More information in this BC News Article: New Locky version adds the .Zepto Extension to Encrypted Files

A repository of all current knowledge regarding Locky Ransomware is provided by Grinler (aka Lawrence Abrams), in this topic: Locky Ransomware Information, Help Guide, and FAQ.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

You can also submit samples of encrypted files, ransom notes, email or/and website address you see in the RANSOM DEMAND to No More Ransom Crypto Sheriff for assistance with identification and possible decrypting solutions. If you are provided any information it would be helpful to post it here for Demonslay335 to review.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 flashb

flashb
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:50 PM

Posted 07 September 2016 - 09:47 AM

Thanks so much for the great info. I will be making a donation shortly :)



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,932 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:50 PM

Posted 07 September 2016 - 10:58 AM

You're welcome and we appreciate the donation.

BTW, there is an ongoing discussion in this topic where you can ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.When or if a solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Struppigel

Struppigel

    Karsten Hahn, G DATA Malware Analyst


  • Malware Response Team
  • 231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 AM

Posted 08 September 2016 - 01:45 AM

Specifically looking for what this Locky variant names it's files to once encrypted or is this a downloader only? Either way, what things do we need to look for that our Anti-virus/cleaner might miss? 

 

Thank-you for any info you can share. I have looked all over and only found this page with helpful data so far.

https://community.spiceworks.com/topic/1802642-another-huge-virus-outbreak-today?from_forum=216

 

flashb 

 

JS/Locky.AY!Eldorado is a JScript Locky downloader. That means it is not the actual Locky ransomware, but the malware that delivers it. Your image also shows it is located in email attachments.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users