We have seen a change to the Locky ransomware today. It has been very quiet today with the first malspam arriving at about 6pm UK time. When you don’t get any Locky malspam during the working day, you can almost guarantee that they have been changing it or “improving it”. The big change is the file extension to the encrypted files which is now .odin . They are still using .wsf files inside zips today
I am sure we will soon see other tech blogs and “news” sites calling this a new ransomware version. It isn’t. It is still Locky just with a changed extension for the encrypted files. For a few months we saw .zepto, now .odin.
The emails are nothing special and common, The first series pretends to come from your own domain with a subject of Re:Documents Requested and the body saying
Please find attached documents as requested.
The second series comes from random senders with a subject of Updated invoice #[random number] and random names, job positions and companies in the body
with a body content
Our sincere apology for the incorrect invoice we sent to you yesterday.
Please check the new updated invoice #3195705 attached.
We apologize for any inconvenience.
Executive Director Marketing PPS
Tel.: (324) 435-35-73