Locky ransomware’s newest variant appends the extension “.ykcol” to every file it affects using its encryption mechanism.
Stormshield malware analyst coldshell came across the new variant on 18 September. As with its previous forms, Locky relies on a malspam campaign for distribution. This operation pushes out emails with the subject line “Status of invoice” that contain a 7z attachment.
— coldshell (@coldshell) September 18, 2017
Bleeping Computer’s Lawrence Abrams says that’s an interesting attachment choice for malware delivery:
“It is strange that they are using a 7z attachment considering that many recipients may not have the software required to open it. This is probably being done to bypass more stringent filters put in place recently by Gmail and other mail services.”
The attachment conceals a VBS file that loads and executes the Locky payload.
Upon execution, the ransomware gets to work scanning the infected computer for files it can encrypt. It alters the file name and appends the “.ykcol” extension to each file it finds and encrypts. Once that’s done, Locky removes the download executable and displays its ransom note. The message contains a link to a .onion payment portal where victims receive instructions to fulfill a ransom demand of 0.25 Bitcoin (about $995).
At this time, victims of Locky’s “.ykcol” variant or any of its previous versions cannot recover their files using a free decrypter. They can try to restore their data using their computers’ Shadow Volume Copies. However, many ransomware remove those backup copies as part of the infection process, so recovery is by no means guaranteed.
With that said, users and businesses should focus instead on preventing a ransomware infection. They can do so by updating their systems on a regular basis, installing an anti-virus solution on computers connected to the web, and acknowledging the danger posed by suspicious links and email attachments. They should also back up their critical data on an ongoing basis.
For more information on how to protect against the growing ransomware threat, please click here.