May 2016 come with a more user friendly LOCKY ransomware

On 6th of may our mailbox received a very nice email apparently from a Gmail account with an invoice zip file.  The single text found it was ‘Sent from my Samsung device’

But as we are searching for new viruses we just stopped on the sender IP ( which doesn’t belong to Gmail servers.

Anyway who is looking at email sources after all.

To view the video please just switch in full screen.

Opening this email we just discover an Java Script file named VA39….js

From this point you, as an end user, should understand that something it is wrong.

But let’s start to play with the malware. First we disabled the network connection as you could see at the right down corner of the movie.

Then we are moving to the source code. Interesting : our guy just don’t care about nothing, after he made the script he compressed with the Dean Edwards packer. Yes, it just look more easy to make like this .

The problem it is that after somebody compress the script packing in a new form, it will be pretty difficult to read what it is inside until you unpack and check for the source code.

This script contain a few big categories: the INIT part, the hex md5 stream, pick function, base64decode function, some conversions, the quickwitted function.

Apparently this guy took pieces of the old version and made a face lift, forgetting inside even the used online software to pack the virus.

All those thing are going to where from the script is taking the final file to encrypt all your personal data as you already know.

Looking at movie you will see that until we open the network connection the script is only trying to connect.

After we open the connection it is starting the just downloaded program to run: OYWVCwQ.exe

After one minute our images are lost and we have this time a _HELP_instruction file in html format this time.

Why? It is very simple, because opening this file will give us the possibility to access more quickly the information: where from to learn  about the cryptography and also where from to take the key for the lost data.

It also have a direct link to Tor download place. But even we don’t understand this guy didn’t made a direct link to TOR website.

We downloaded TOR to continue our story

Finally we found out the Bitcoin account of this guy and the fact that he is asking 4.1 BTC which means no less than $ 1844.60

Wow, not so little, isn’t it.  We have not to remind you that the chances to take back your files even you pay are zero.


We hope that you liked this article, if yes don’t forget to share it on Facebook.

And don’t forget, never play with viruses on your computer if you don’t have enough knowledge about this. It is like you play with human viruses on your desk without any medicine class. Be careful. We are not responsible if you damage your or a third party computer using our posts.





Lasă un răspuns

Adresa ta de email nu va fi publicată. Câmpurile obligatorii sunt marcate cu *