New variants of Locky are being released at a rapid rate lately. Yesterday, we had a new variant that appends the .SH*T extension to encrypted files and today they switched to using the .THOR extension. Maybe Locky had its mouth washed out with soap for cursing? Regardless of the reasons for the switch, I am happy as I won't have posts with curse words all over the forums.

Encrypted Public Sample Pictures Folder
Encrypted Public Sample Pictures Folder

The Thor Locky variant being distributed via SPAM Campaigns

This new variant is currently being distributed through a variety of SPAM campaigns with VBS, JS, and other attachments. One SPAM campaign that I have seen has a subject line of Budget forecast and contains a ZIP attachment called budget_xls_[random_chars].zip.

Budget Forecast Locky SPAM Email
Budget Forecast Locky SPAM Email

This budget_xls zip file will contain a VBS script with a name like budget A32aD85 xls.vbs as shown below.

Locky Installer
Locky Installer

Locky continues to use a DLL Installer

When the Locky SPAM attachments are executed, they will download an encrypted DLL, decrypt it on the victim's computer, and then execute it using Rundll32.exe to encrypt a victim's files.  

Executing the DLL via Rundll32
Executing the DLL via Rundll32

The DLLs are currently being executed with the following arguments:

C:\Windows\SysWOW64\rundll32.exe %Temp%\MWGUBR~1.dll,EnhancedStoragePasswordConfig 147

Once executed it will scan for targeted file types and encrypt them to a scrambled name with the .thor exension. For example, a file called accounting.xlsx could be renamed to 024BCD33-41D1-ACD3-3EEA-84083E322DFA.thor. The format for this naming scheme is first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].thor

It is not possible to decrypt the Locky Ransomware Thor Variant

Unfortunately, there is still no realistic way to decrypt the Locky Ransomware regardless of the extension.  

At this time the only way to recover encrypted files is via a backup, or if you are incredibly lucky, through Shadow Volume Copies. Though Locky does attempt to remove Shadow Volume Copies, in rare cases ransomware infections fail to do so for whatever reason. Due to this, if you do not have a viable backup, I always suggest people try as a last resort to restore encrypted files from Shadow Volume Copies as well.

 

Related Articles:

Attacks on Citrix NetScaler systems linked to ransomware actor

New Ymir ransomware partners with RustyStealer in attacks

Halliburton reports $35 million loss after ransomware attack

Critical Veeam RCE bug now used in Frag ransomware attacks

Meet Interlock — The new ransomware targeting FreeBSD servers