A new variant of Locky Ransomware has been discovered and has been spreading through a Spam Campaign with the Subject Line “Status of Invoice”. Moreover, the attachments are compressed using 7z, rather than using the .zip extension, which can easily be uncompressed by normal users.
Ykcol also tries to delete the Shadow Volume Copy so as to refrain the user from recovering the encrypted files. However, there would be instances when deletion of Shadow Volume files fails and victims would be lucky enough to recover from this attack.
MS Windows natively provides the users with the ability to extract files from .zip archives, while the users have to install 7z in order to extract from 7z archives. Due to this, it seems the impact of this particular campaign of Locky Ransomware would not have a major impact.
Extension: .ykcol (reverse of the word Locky Ransomware)
Filename Format: [first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars]
Unfortunately, as of this time, it is not possible to decrypt .ykcol for free.
Prevention Measures:
• Administrators should block all executable files from being transmitted via emails.
• Administrators should isolate the affected system in the Network.
• The administrator can restore the encrypted files from the backup or from system restore point (if enabled) for affected systems.
• Install and Configure eScan with all security modules active.
1. eScan Real-Time Monitoring
2. eScan Proactive protection
3. eScan Firewall IDS/IPS Intrusion prevention
• Users shouldn’t enable macros in documents.
• Organizations should deploy and maintain a backup solution.
• Most important, Organizations should implement MailScan at the Gateway Level for email servers, to contain the spread of suspicious attachments.
Read more on Locky Ransomware – Other variants