Diablo6 Ransomware: Locky Ransomware Returns with Phishing Spam Campaign

Locky Ransomware has back again and this time it is circulating through mal-spam campaign. Locky was one of the most popular and dangerous data-encrypting malware of last year. According to cyber-experts, the percentage growth of ransomware infection was tremendous and all thanks goes to Locky which began the trend and encouraged cyber-offenders to develop similar harmful infections such as Spora, Cerber and so on. In past few months, there were not any new reports of Locky Ransomware infection however some new cases has been registered last week  which indicates that Locky is back again. The initial inspection suggests that it has wide distribution capabilities and could be extremely dangerous.

This newly Locky ransomware variant is distributing through malspam campaigns. It appends .diablo6 extension in the targeted infected file. The spam email contains the subject as E [date] (random_numer).docx. It has very small messages like “Files Attached Thanks”. The related ail contained a .ZIP file which contained a VBS downloader script. This script contains URLs to download executable files of Locky ransomware. The file is downloaded in %Temp% folder and gets executed instantly. Immediately after the file download, the PC will be scanned for searching the targeted files and then followed by encryption. The targeted files extension is appended with .diablo6. The remaining format be like When renaming the file, it uses the format [first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].diablo6. The ransom note this locky ransomware is kept in diablo6[random].htm. The demanded ransom is about .49 Bitcoin which is about $1600 USD. Unfortunately, this new variant of Locky Ransomware could not possibly be decrypted until now. The only possible ways of recovering the encrypted files is through Backup files or Volume Shadow Copies.