According to security researcherÂ Timothy Davies, aÂ new version of the LockyÂ Ransomware, aka Zepto, has been circulating since around the September 5th 2016 that includes an embedded RSA key. This keyÂ allows Locky to encrypt a victim’s computer without having to contact their Command & Control server. As many system administrators block Command & Control servers on their firewalls, by using an embedded RSA key, Locky can encrypt a computer regardless of what has been blocked at the edge.
The good news is that this version is having distribution problems as there attachments are not being named properly. For example, a current campaignÂ isÂ using ZIP attachments that contain JS files. When executed, these files are giving an error as seen below.
This error is occurring because the attachmentsÂ are actually HTA files and not JS files. Once the file is renamed to HTA, it works properly.
Other than that, this version continues to append the .ZEPTO extension to encrypted files and create ransom notes that are named %Desktop%\[number]_HELP_instructions.html,Â %Desktop%\_HELP_instructions.html, andÂ %Desktop%\_HELP_instructions.bmp.
This version is targeting the following extensions for encryption: