.lockymap : Another variant of PyLocky ransomware

A team of cybersecurity researchers has discovered a new cryptovirological strain from the family PyLocky ransomware. This ransomware strain delivers its payload through executable files attached in phishing emails. Developers of .lockymap ransomware have used encryption algorithm ABS-256 to lock down the files on affected computers. As per encryption experts, this algorithm entails complex encryption matrices and is usually used to protect military grade gadgets.

As soon as the malicious code of .lockymap completes its encryption activity, a ransomware note in the form of text file appears on the screen. Victims are instructed in the note to download Tor browser in order to purchase the decrypter for ransomware removal. The attackers also offer the restoration of one encrypted file for free to assure the victims that they have the decryption key. The operators also threaten to double the amount of ransom in case victims don’t contact them for ransomware removal within four days after the attack.

Initial investigation suggests that the newly discovered ransomware strain might also penetrate into the Windows Registry Editor. The sub-keys of Run and RunOnce are the actual target of the strain in the Editor in order to create values for the automatic execution of ransomware whenever the victim turns on the device.

The infiltration of .lockymap ransomware in the Windows Registry also means that the strain is going to delete all the data backed up on the device. Researchers have identified the commands executed by the ransomware to delete shadow volume copies. The ransomware strain is capable of encrypting more than two dozen file extensions. Apart from encrypting a lot of files in the targeted device, the executable file of the ransomware is also stored in several system directories including Temp, AppData, Local and Roaming. Digital security researchers are still trying to work out particular ransomware removal measures for the .lockymap strain.