A new variant of Locky has been detected in the wild and this time the authors of Locky have decided to use “.zzzzz “ as the extension for all of the encrypted file. Moreover, researchers believe that it is using Geo-location for targeting its victims. Furthermore , this new variant appears to act as an adware , wherein Advertisements are displayed while the system is being infected.
It is interesting to note that Locky authors have been frequently changing the extensions, and this aspect might be contributed by various factors
1: Private Keys being used for encryption are changed with every campaign and this allows the authors to keep a track and also provide specific decryption routines/
2: The CNC are being regularly taken down, which effectively renders these Keys infective.
However, we are yet to receive any confirmation about such take-downs.
It also seems that Locky Authors have just found out an additional method of monetizing their efforts. By introducing an Adware , they have ensured that even the time spent by Locky during encryption, generates revenue for them. This is basically a win-win situation for the Locky Authors, since, they now have the ability to monetize and earn profits from those users too, who are unwilling to pay the ransom.
In near future, we may find, numerous Ransomware-authors adopting this new found strategy of monetization.