Locky ransomware continues to evolve and has again changed the filename extension used to encrypt files. This time using the file extension “.osiris” on all files it encrypts.

Locky will encrypt image files found on the system leaving them inaccessible unless the ransom is paid to acquire the decryption keys.

Figure 1 – Example of image files

Locky ransomware uses an email lure like the one shown in Figure 2 to get victims to open attachments.

Figure 2 – example of phishing email with Locky downloader attached

After infection, Locky will encrypt files and modify the systems desktop image as well as present an HTML page with ransom demands.

Figure 3 – Locky ransom demand page and .bmp desktop image

Ransomware like Locky is an ever present danger in today’s threat landscape and as seen here, under constant development in order to increase the chances it evades detection and affects more victims.