Locky Odin

Locky ransomware goes Nordic with Odin…

Locky now gives the encrypted files from its victims an “odin” file extension – and has added a few hundred new file types that it can readily encrypt.

Odin is a lead character from Nordic mythology, charged with a wide scope of activities from healing and writing runes. He also sorts the final destination of those killed in battle, taking half of them to Einherjar where they can party on with the Valkyries and prepare for additional battles.

For new ransomware victims, the latest Locky rendition does a more thorough job of going through the files on their computers and encrypting them – taking far more than the mythological Odin’s 50% share.

“The real difference is that they added an extra 256 file types. Changing the file extension from “.zepto” to “.odin” is just cosmetic,” said Moritz Kroll, malware specialist in the Avira Protection Labs. “By catching and encrypting a wider collection of files, they increase the chances that the targeted victim will pay the ransom.”

The new file types are designed to catch about everyone; with potential victims ranging from gamers, film lovers, business owners, even malware analysts. Here are a few expanded user segments that caught our eyes at Avira:

Gamers – Players of the classic Doom game by id Software, with its “.wad” extension for game data files.

Movie lovers – Film fans that like watching subtitled movies. Locky is after those “.srt” subtitle files.

Small business owners – Intuit’s QuickBooks accounting software with its “.qba” and “.qbm” files.

Free software fans — People using the free Open Office suite, a substitute for Microsoft Office, with the bad guys adding the Formels “.odf” files. Other OpenOffice formats were already supported before

Graphics guys and gals  – Those using Corel Draw “cdr” files and the free Blender 3D rendering program. They can spend REALLY a lot of time on this, so it would be especially bad if files are lost.

Malware analysts – Yes, those careful people using virtual machines for their research, with file extensions for QEMU, VirtualBox, and VirtualPC programs.

“Looking at the detailed list risks losing sight of the forest for the trees,” explained Kroll. “The important issue here is that bad guys are making an ever-finer net to catch more files. Simply hoping that you won’t be hit because you work in an obscure file format or eschew Windows programs is not enough.”


RELATED ARTICLE

https://blog.avira.com/ransomware-attacks-not-victim/


Reference sample:
https://www.virustotal.com/en/file/86d229d219a21ab8092839a4361d30977e56c78f0ada10b6d68363b2834dd1dc/analysis/

This post is also available in: GermanFrenchItalian

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.