Over the past few days, the Locky / Zepto developers have switched to using a DLL to install the Locky Ransomware rather than an executable. This is probably being done for further obfuscation and to bypass executable blockers as rundll32.exe is typically white listed.

Locky is still being distributed via JS attachments, which when executed will download an encrypted version of the executable. Once the payload is decrypted to a DLL file it will run it using the following command:

"C:\Windows\System32\rundll32.exe" C:\Users\User\AppData\Local\Temp\MFJY1A~1.DLL,qwerty 323

You can see the DLL being executed by rundll32.exe in the image below.

Locky executing via DLL

Other than installing Locky via a DLL, nothing else has changed. It is still appending Zepto to the end of encrypted files and generating the same ransom notes. I am unsure what file extensions were previously being targeted, but the current extensions are: