Locky Changed To Use .aesir File Extension And Changed C2 Format

Just a quick post to update the new Locky format & behaviour. Locky has changed the encrypted file extension to .aesir as well as the C2 to “/information.cgi”. I am also informed there is a slight change to the name of the ransomware notification file that they drop on your desktop. it appears to now be _[number]-INSTRUCTION.html
We first saw this with /locky-delivered-by-spoofed-your-amazon-com-order-has-dispatched/ and https://nftsgary.com/locky-delivered-by-spoofed-isp-you-have-been-sending-spam-notifications/ slightly earlier today, but I didn’t see any immediate sign of the encrypted extension changing in online sand box reports.

I have now had time to go back and examine the reports more deeply and can see the changes in file extension to .aesir They are keeping to the Norse Gods format. Locky has changed over the couple of years it has been around. It started with .locky. Moved on to .zepto, then to .odin, for a short period they used .shit, then reverted back to Norse Gods with .thor and now .aesir

This is still LOCKY ransomware. All that has changed is the file extension on the encrypted files. I expect to usual “tech” “news sites” to go OTT as usual and declare this to be a totally new ransomware version and do a chicken little ” the sky is falling”. It is not new, just a changed file extension to .aesir

It was quite difficult to see the changed extension to .aesir until you look at https://www.hybrid-analysis.com/sample/7d8f69106ca48bd9c3946487e9c0bce95347a6705487b23bc2df7e3d51469ba0?environmentId=100 and scroll down to Installation/Persistance and then dropped files

This updated version of Locky ransomware now targets 456 file extensions to be encrypted. They have gradually increased them over time. The .thor extension targeted approx.. 400 extensions. Many of the extensions are rarely used by consumers and I have never heard of loads of them. They are all data format files.

That is files that contain information, documents, images etc. rather than .exe or other executable formats. Locky and other ransomware criminal gangs want you to pay them to get your information back. .yuv .ycbcra .xis .x3f .x11 .wpd .tex .sxg .stx .st8 .st5 .srw .srf .sr2 .sqlitedb .sqlite3 .SQLite .sdf .sda .sd0 .s3db .rwz .rwl .rdb .rat .raf .qby .qbx .qbw .qbr .qba .py .psafe3 .plc .plus_.muhd .pdd .p7c .p7b .oth .orf .odm .odf .nyf .nxl .nx2 .nwb .ns4 .ns3 .ns2 .nrw .nop .nk2 .nef .ndd .myd .mrw .moneywell .mny .mmw .mfw .mef .mdc .lua .kpdx .kdc .kdbx .kc2 .jpe
.incpas .iiq .ibz .ibank .hbk .gry .grey .gray .fhd .fh .ffd .exf .erf .erbsql .eml .dxg .drf .dng .dgc .des .der .ddrw .ddoc .dcs .dc2 .db_journal .csl .csh .crw .craw .cib .ce2 .ce1 .cdrw .cdr6 .cdr5 .cdr4 .cdr3 .bpw .bgt .bdb .bay .bank .backupdb .backup .back .awg .apj .ait .agdl .ads .adb .acr .ach .accdt .accdr .accde .ab4 .3pr .3fr .vmxf .vmsd .vhdx .vhd .vbox .stm .st7 .rvt .qcow .qed .pif .pdb .pab .ost .ogg .nvram .ndf .m4p .m2ts .log .hpp .hdd .groups .flvv .edb .dit .dat .cmt .bin .aiff .xlk .wad .tlg .st6 .st4 .say .sas7bdat .qbm .qbb .ptx .pfx .pef .pat .oil .odc .nsh .nsg .nsf .nsd .nd .mos .indd .iif .fpx .fff .fdb .dtd .design .ddd .dcr .dac .cr2 .cdx .cdf .blend .bkp .al .adp .act .xlr .xlam .xla .wps .tga .rw2 .r3d .pspimage .ps .pct .pcd .m4v .fxg .flac .eps .dxb .drw .dot .db3 .cpi .cls .cdr .arw .ai .aac .thm .srt .save .safe .rm .pwm .pages .obj .mlb .md .mbx .lit .laccdb .kwm .idx .html .flf .dxf .dwg .dds .csv .css .config .cfg .cer .asx .aspx .aoi .accdb .7zip .1cd .xls .wab .rtf .prf .ppt .oab .msg .mapimail .jnt .doc .dbx .contact .n64 .m4a .m4u .m3u .mid .wma .flv .3g2 .mkv .3gp .mp4 .mov .avi .asf .mpeg .vob .mpg .wmv .fla .swf .wav .mp3 .qcow2 .vdi .vmdk .vmx .wallet .upk .sav .re4 .ltx .litesql .litemod .lbf .iwi .forge .das .d3dbsp .bsa .bik .asset .apk .gpg .aes .ARC .PAQ .tar .bz2 .tbk .bak .tar .tgz .gz .7z .rar .zip .djv .djvu .svg .bmp .png .gif .raw .cgm .jpeg .jpg .tif .tiff .NEF .psd .cmd .bat .sh .class .jar .java .rb .asp .cs .brd .sch .dch .dip .pl .vbs .vb .js .asm .pas .cpp .php .ldf .mdf .ibd .MYI .MYD .frm .odb .dbf .db .mdb .sql .SQLITEDB .SQLITE3 .011 .010 .009 .008 .007 .006 .005 .004 .003 .002 .001 .pst .onetoc2 .asc .lay6 .lay .ms11 (Security copy) .ms11 .sldm .sldx .ppsm .ppsx .ppam .docb .mml .sxm .otg .odg .uop .potx .potm .pptx .pptm .std .sxd .pot .pps .sti .sxi .otp .odp .wb2 .123 .wks .wk1 .xltx .xltm .xlsx .xlsm .xlsb .slk .xlw .xlt .xlm .xlc .dif .stc .sxc .ots .ods .hwp .602 .dotm .dotx .docm .docx .DOT .3dm .max .3ds .xml .txt .CSV .uot .RTF .pdf .XLS .PPT .stw .sxw .ott .odt .DOC .pem .p12 .csr .crt .key