Locky ransomware is the biggest type of malware threatening both consumers and enterprises around the globe today. Even though this malware has been in existence for quite some time now, new variants are still being discovered on a regular basis. A new report by Netskope goes to show that the Locky threat is only becoming more severe as time progresses.

Two New Locky Variants Everyone Should Take Note Of

Even though Locky ransomware exists in many different forms, two new variants have sprung up which demand everyone’s immediate attention. First of all, there is the AESIR variant, which seems to be the most severe threat of the two. As some would expect, this new variant will also change encrypted filenames to the AESIR extension.

What is rather disturbing about this new ransomware is how it contains a variables array, which will download the Locky executable from any of its available servers. The malicious payload is hidden inside a VBS script, which is downloaded to the TEMP folder on the computer. Once that has been taken care of, all hell will break loose rather quickly.

The ransom message shown by the AESIR ransomware is very similar to that of Locky, which is not surprising. However, there are some minor changes in the ransom notes. Interestingly enough, the recovery instructions are virtually the same as the ones found in Locky itself, which further confirms the correlation between both payloads. Victims are still redirected to a Tor-hosted web page to complete the Bitcoin payment and receive the decryption key.




The second new variant of Locky is called ZZZZZ and is a near copy of the AERIS variant. However, there are two changes to take note of. First of all, there is the different payload extension, and the decrypted payload uses a different extension as well. For security researchers, this is valuable information that may help them combat these threats at an early stage. 

All of the underlying codebase found in the ZZZZZ variant is nearly identical to Locky, including the original recovery instructions. To make it even more intriguing, both of these new variants are distributed in the same manner as the original Locky ransomware. Other than minor payload extension changes, all types of malware behave in the same manner. But that is also what makes them so incredibly dangerous.

It is evident that Locky ransomware remains the biggest threat to our online society, even when it is repackaged into slightly different variants. Criminals want to make sure that their payload evades detection from antivirus and anti-malware tools, and these minor modifications allow them to do so. Moreover, these two new variants hint at the usage of a Locky payload “toolkit” to create new forms of malware. This is a very disturbing development, to say the least.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.