New Locky ransomware variants are frequently developed to keep security researchers on their toes. The malicious ransomware is highly sophisticated and further development allows the gang behind the crypto-ransomware to keep raking in millions of dollars in ransoms.

According to security researchers at Avira, a new Locky variant has now been discovered with new capabilities that spell trouble for businesses, even those with highly advanced security systems in place. Now, even rapid detection of Locky will not prevent files from being encrypted. Even if Locky cannot contact its command and control server, it will still execute and encrypt files. Previous Locky ransomware variants would only encrypt files after C&C server contact was established.

This means that if Locky is detected on a computer, shutting down the network or blocking communications will not prevent files from being encrypted. This is one of the few options open to organizations to limit the damage caused if ransomware is discovered.

New Locky Ransomware Variants Encrypt Without C&C Server Contact

Many of the latest ransomware strains use public key cryptography to lock users’ files. They will not encrypt files if systems are taken offline because they require contact with a C&C server to obtain the public-private key pairs that are used to lock files. These are only generated if a connection to the C&C is made. The private key that is used to unlock files is stored on the attacker’s server and never on the local machine that is infected.

Without a connection, unique keys for each user cannot be generated. This means that even if millions of computers are locked, one key will unlock them all. By generating a unique key for each infection, a ransom must be paid for each device that is encrypted. Without this, a business would only need to pay one ransom payment to unlock all infected devices.

Fortunately, that is the case with the latest Locky strain. If no C&C contact is made, all infected devices will be locked with the same key. That means only one ransom payment may need to be paid. However, if C&C contact is established, the AES encryption key will be encrypted using a separate RSA encryption key for each device and multiple payments will be required.

Avira reports that the new Locky ransomware variants use separate types of victim IDs, depending on whether files were encrypted offline or online. Offline infections use a 32-character alphabet for the victim IDs – “YBNDRFG8EJKMCPQX0T1UWISZA345H769” – rather than hex digits. By doing so, the attackers can determine which key to supply to unloick the encryption.

According to Avira’s Moritz Kroll, “Theoretically, if a company with a domain controller is hit by the new Locky and sees a non-hexdigit ID like ‘BSYA47W0NGXSWFJ9’, it might be cheaper to generate a victim ID with the same public key ID but without saying it’s a corporate computer.” That key can then be used for all other devices that have been infected.

While this may work, it is no substitute for having a viable backup. It is also far better to block the malicious spam emails that are used to deliver the ransomware using an advanced spam filtering solution such as SpamTitan, and to prevent drive-by downloads using WebTitian.