Locky ransomware is back once again, this time appending an .aesir extension to the victim’s files. It appears that the cyber criminals behind the ever-evolving ransom encryptor have intentionally chosen the name of the Norse god Æsir. This is indeed a sequel of carefully chosen file extension names shaping Locky’s god-like status in the ransomware world. .thor, .locky, .odin, and now .aesir iterations are all equally devastating to the user. It’s safe to assume that all cybercriminals spreading malware want to achieve the success of Locky, evident by the Locky imitators. In fact, all big ransomware families have not-so-sophisticated counterparts that are sometimes quite easy to decrypt. Unfortunately that’s not the case with Locky and all of its iterations.
Locky .aesir Ransomware Virus Technical Details
1. Distribution
Security researchers have discovered that the Aesir iteration of Locky is distributed via spam messages containing malicious e-mail attachments in the form of .zip files. The name of the archive is “logs_{random-id}.zip”.
The text body of the email was as it follows:
Dear {First Name},
We’ve been receiving spam mailout from your address recently. Contents and logging of such messages are in the attachment.
Please look into it and contact us.
Best Regards,
Edith Hancock
ISP Support Tel.: (840) 414-21-61
If you receive a similar email message, beware that it is spam containing malware and you shouldn’t open anything in it under any circumstances.
2. Infection details
The Aesir iteration of Locky is not much different than the previous versions, especially the .shit one. The Aesir iteration uses Javascript files and could also employ .hta files for the infection process. Once the infection is initiated, Locky would proceed with the encryption. The encryption process changes the structure of the victim’s files so that it is impossible to open them. The encryption algorithm most likely used is AES.
Remove .aesir Ransomware Virus and Restore Encrypted Files
Infected user should immediately remove the ransomware, preferably via a strong anti-malware program. However, victims should first backup the encrypted files.
From there, malware researchers strongly advise against directly paying the ransom fee of Locky’s Aesir iteration and instead to focus on other methods try and to restore their files, i.e.:
- Data Recovery programs.
- Any Windows shadow copies.
- Using a network sniffer to restore the encrypted files by locating the decryption key the Karma ransomware sends to the cyber-criminals.