The last few weeks saw new variants of the Locky ransomware that
employs a new anti-sandbox technique. In these new variants, Locky’s
order to decrypt embedded malicious code and execute it properly. For
in the following manner:
This new trick may pose challenges for automated Locky tracking systems
that utilize sandboxing due to the following considerations:
New Locky binaries will not execute properly without the correct parameter.
are already down.
the parameters “123” and “321”. Of course, this can be easily changed by
Locky’s perpetrators. So the question this raises is – how do we get
around this anti-sandbox mechanism?