At least two new Locky ransomware variants have been released within less than a month of each other although one of the variants is broken for the time being due to a malformed spam campaign.
Trustwave researchers spotted a new Locky ransomware variant dubbed ykcol, Locky spelled backwards, in a 19 September spam blast targeting three million inboxes within a three hour period and most recently Bleeping Computer researchers spotted a new Locky ransomware variant 10 October which uses the .asasin extension for encrypted files.
The ykcol ransomware which follows the same convention as a previous Lukitus version of the Locky, is packed with Game of Thrones references, and is distributed via Necurs gang which is also used to spread TrickBot banking trojan and numerous other ransomware variants.
The ykcol variant tries to entice users to open the malicious attachment using subject lines that mimic messages from usernames or as invoice notifications. The ransomware uses several variations of ransom notes and victims need a Tor browser to access the URL provided in the ransom notes.
Researchers noted that if a victim is infected with ykcol they they aren't affected by the Asasin version of Locky which had its own unique set of problems, although both versions are similar.
“Personally, I thought the previous extension, ykcol, was cleverer, while this one seriously needs a spell checker, Bleeping Computer researchers Lawrence Abrams said. “Thankfully, the current distribution for this variant is broken due to malformed spam campaign.”
Abrams added that whoever is distributing the spam emails is not adding the attachments correctly causing the attachments to not be visible to recipient other than as a blob of base64 encoded text. Even if the attachments were working the attachments are 7zip, or .7z, archives which most people wouldn't know how to open, he added.
Unfortunately there aren't any known free decryptors for the ransomware. To prevent infections, users should remember to always backup files, not open attachments if you do not know who sent them, do not open attachments until confirming by a known person that it actually is what is claimed, scan attachments with tools like VirusTotal, ensure systems stay updated, and use strong passwords.