A new version of the Locky Ransomware was released yesterday that uses a new naming scheme for encrypted files. Previously Locky had renamed files and then appended a Locky extension so that filename was similar to A65091F1B14A911F0DD0E81ED3029F08.locky.

With this new version, Locky uses the .zepto extension and files are renamed to a name like 024BCD33-41D1-ACD3-3EEA-84083E322DFA.zepto

Files with the Zepto Extension
Files with the Zepto Extension

This new naming format is in the form of [first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].zepto. For example, for a file called 024BCD33-41D1-ACD3-3EEA-84083E322DFA.zepto, the extracted victim ID would be 024BCD3341D1ACD3.

If there are any other modifications to this version we will update this article.

 

Related Articles:

Xbash Malware Deletes Databases on Linux, Mines for Coins on Windows

New Brrr Dharma Ransomware Variant Released

Kraken Cryptor Ransomware Masquerading as SuperAntiSpyware Security Program

The Week in Ransomware - September 14th 2018 - Kraken, Dharma, & Matrix

Fallout Exploit Kit Pushing the SAVEfiles Ransomware