Locky Changed Again To Use .zzzzz File Extensions

Another quick post to update the new Locky format & behaviour. Earlier this week we reported the change to aesir file extensions on encrypted /ransomed files .  Today Locky has changed the encrypted file extension again to .zzzzz . They have kept  the C2 to “/information.cgi”. I am not seeing any changes to  the name of the ransomware notification file that they drop on your desktop. So far they are staying with _[number]-INSTRUCTION.html

They have left ( probably temporarily )  the Norse Gods format. Locky has changed over the couple of years it has been around. It started with .locky. Moved on to .zepto, then to .odin, for a short period they used .shit, then reverted back to Norse Gods with .thor and .aesir. Today to a more simple .zzzzz file extension

This is still LOCKY ransomware. All that has changed is the file extension on the encrypted files. I expect to usual “tech” “news sites” to go OTT as usual and declare this to be a totally new ransomware version and do a chicken little ” the sky is falling”. It is not new, just a changed file extension to .zzzzz

The other change we are seeing in some of the versions received is they are using a .tdb extension on the actual malware files downloaded. This is actually a dll file that is run by rundll32 but given a different extension to attempt to fool anyone having a quick look at it. Over the last few days we have also seen several examples of Locky using a .522 file extension on the downloaded .dll file

These updated version of Locky ransomware continue to  target 456 file extensions to be encrypted. They have gradually increased them over time. The .thor extension targeted approx.. 400 extensions. Many of the extensions are rarely used by consumers and I have never heard of loads of them. They are all data format files. That is files that contain information, documents, images etc. rather than .exe or other executable formats. Locky and other ransomware criminal gangs want you to pay them to get your information back.

