Today a new Locky Ransomware variant was discovered by @dvk01uk that now uses the .ODIN extension for encrypted files. It is important to note that if you are infected with this ransomware, you are not infected with the Odin Ransomware. You are instead infected by Locky, which is using the .ODIN extension. There is a difference.
Thankfully, it was a slow week this week when it comes to ransomware. For this week we had 3 new variants of existing ransomware, 2 new ransomware infections, and an updated decryptor.
This week we have 6 new ransomware, 1 distasteful ransom note, 2 decryptors, and an update to Locky. Of particular note is the CryLocker Ransomware, which uses Imgur.com to store information about its victims. We also have a new ransomware being sold, an update to Locky, and security researchers fighting back!
A new version of the Locky Ransomware, aka Zepto, has been circulating since around the September 5th 2016 that includes an embedded RSA key. This key allows Locky to encrypt a victim's computer without having to contact their Command & Control server.
Ransomware is running rampant! This week we have 10 stories, with 6 new ransomware, a decryptor, Locky being distributed as a DLL, and more. Pop culture ransomware continues to be the "thing" as new Purge and Pokemon based ransomware were also released this week.
Over the past few days, the Locky / Zepto developers have switched to using a DLL to install the Locky Ransomware rather than an executable. This is probably being done for further obfuscation and to bypass executable blockers as rundll32.exe is typically white listed.
This week we have 1 new ransomware variants, 3 new ransomware infections, and 1 new distribution campaign. The big news is that the Cerber Ransomware released a new version with some significant updates.
Over the past week or so, a new distribution campaign for the Locky variant dubbed the Zepto Ransomware has been underway. Previously, the Zepto Ransomware installer was being distributed using zipped JS files. Now the installer are being sent as zipped WSF files in emails that pretend to be banking reports and invoices.
A new version of the Locky Ransomware was released yesterday that uses a new naming scheme that appends the .zepto extension to encrypted files. With this new version, Locky will rename files to a name similar to 024BCD33-41D1-ACD3-3EEA-84083E322DFA.zepto.