AutoLocky targets Windows OS and, currently, the method of distribution is unknown. The malware’s icon, though, was designed to look like an Adobe PDF icon so researchers speculate that it is distributed via phishing emails. It tries to impersonate the more familiar Locky variant by appending .locky to encrypted files but it differs in its style of ransom note and does not use Tor to contact its C2 servers. AutoLocky is written in Autolt, an open-source scripting language used for automation in Microsoft Windows. Although it does use strong, AES 128 encryption, it does not delete Shadow Volume Copies on infected systems allowing for file recovery without paying the ransom. AutoLocky demands a 0.75 Bitcoin ransom to decrypt files.
- Bleeping Computer provides more information about AutoLocky here.
- Emsisoft offers a decryption tool for files encrypted by AutoLocky, available here.