Branding is a powerful stuff. Even malware writers appear to think this way. Otherwise why would they fake a known Locky ransomware? New AutoLocky ransomware was detected by Fabian Wosar from Emsisoft.
This malware is written in AutoIt scripting language unlike the original Locky. It does not use Tor to connect to C&C servers. However the result is almost the same. After infecting the PC, AutoLocky will add itself to %UserProfile%AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupStart.lnk. Once installed, AutoLocky will scan all fixed drives for targeted data files and encrypt them using the AES-128 algorithm. When a file is encrypted, the ransomware will append the .locky extension on to the filename. So the file, test.jpg would become test.jpg.locky.
To decrypt files, you can use utility from Emisoft: https://decrypter.emsisoft.com/download/autolocky
Just download and run it.
Technical information:
Associated AutoLocky Files:
%UserProfile%AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupStart.lnk
%UserProfile%Desktopinfo.html
%UserProfile%Desktopinfo.txt
Associated Network Hosts:
crazyloading.cc