Things change, however, and the internet marches on. Hackers latch on to the latest and greatest variants, and after a brief surge to the top, Locky was forgotten and passed over in preference for newer models. Until now.
Recently, a security researcher going by the handle Racco42, discovered a new strain of Locky, known as Diablo6 because this is the extension it appends to all the files it encrypts. The new strain is being distributed via a massive malspam campaign, with the email message simply announcing “Your Files Are Attached.”
If a user, in a moment of carelessness, opens the zipped file, it will install the new version of Locky, scan the user’s machine and encrypt all the files it finds. Once that operation is complete, it will delete itself, then display the ransom message. Currently, the ransom is set at 0.42 BitCoin, or about $1600.
Unfortunately, there’s no free way to decrypt files that have been encrypted by Locky-Diablo6, other than paying the ransom and hoping for the best. As ever, when faced with this type of attack, your best hope is to simply restore the files from your most recent backup, or from your Shadow Volume.
Note that the new version of Locky will try to delete your Shadow Volume, but for reasons not yet fully understood, the malware does not always succeed in doing so.
If it has managed to delete your Shadow Volume, and you don’t have a backup that’s recent enough to be helpful, then you’re faced with the same awful dilemma that so many other ransomware victims have faced in recent months. You can pay the toll and hope you get your files back, or eat the loss and move on as best as you can.
When you get to that point, there are no good choices to be made, so your best move is to see that it never comes to that. Backups matter. If you don’t currently have a robust backup plan in place, you’re flirting with disaster.