{"id":1712,"date":"2016-03-16T08:27:50","date_gmt":"2016-03-16T13:27:50","guid":{"rendered":"http:\/\/swildow.darktech.org\/wp\/?p=1712"},"modified":"2016-03-16T08:54:05","modified_gmt":"2016-03-16T13:54:05","slug":"a-closer-look-at-the-locky-ransomware","status":"publish","type":"post","link":"http:\/\/www.wildow.com\/blog\/?p=1712","title":{"rendered":"A closer look at the Locky ransomware"},"content":{"rendered":"
\n

A closer look at the Locky ransomware<\/span><\/h1>\n<\/div>\n
\n

Today, we bring you a deep look into the latest ransomware called Locky. This new file encryptor, targeting PC users, has most likely been created by authors of the\u00a0<\/span>well-known Dridex botnet<\/a>\u00a0<\/span>and is spread the same way.<\/p>\n

Locky uses all \u201ctop class\u201d features, such as a domain generation algorithm, custom encrypted communication, TOR\/BitCoin payment, strong RSA-2048+AES-128 file encryption and can encrypt over 160 different file types, including virtual disks, source codes and databases.<\/p>\n

We monitored the Locky family this past month and discovered a second variant of the malware, which has new features and program code improvements. Locky\u2019s authors added a new hard-coded seed to the domain generation algorithm, which allows them to deactivate Locky on Russian PCs.<\/p>\n

Infection vector<\/h1>\n

Locky is spreading via spam email campaigns that are similar to those used by the Dridex botnet. They use similar file names, obfuscation, email content and structure of download URLs.<\/p>\n

We have observed three different campaign versions of Locky and have described them below.<\/p>\n

Below is an example of one of the spam emails. The emails are designed to make people believe they were sent from large companies such as Nordstrom, Symantec and Crown Holdings.<\/p>\n

\"email.png\"<\/strong><\/strong><\/span><\/span><\/p>\n

We found different malicious documents (Word, Excel, etc.) attached to the emails that include macros with obfuscated Visual Basic Script (VBS). The malware authors use social engineering to get people to enable the by default disabled macros. The malicious code contains autoopen() sub, which triggers the VBS to automatically run once the macros have been enabled.<\/p>\n

\"doc_macro_autoopen.png\"<\/strong><\/strong><\/span><\/span><\/p>\n

Campaign Version One<\/h2>\n

\"camp_01.png\"<\/p>\n

The authors of Locky used uncommon obfuscation via the CallByName function and a significant string to generate the VBS code.<\/p>\n

\"camp_01_string.png\"<\/p>\n

The obfuscation is simple and is the same obfuscation as found inside Dridex email campaigns. The download \u00a0URL is \u201cencrypted\u201d and hard-coded as an array.<\/p>\n

VBS after deobfuscation:<\/p>\n

\"camp_01_deobf.png\"<\/strong><\/strong><\/span><\/span><\/p>\n

 <\/p>\n

Campaign Version Two<\/h2>\n

\"camp_02.png\"<\/h2>\n

<\/h2>\n

In the second campaign, the author used more complicated obfuscation over script files and added more steps before downloading the final PE binary file.<\/p>\n

Obfuscated batch file:<\/p>\n

\"camp_02_batch_obf.png\"<\/strong><\/strong><\/span><\/span><\/p>\n

Final deobfuscation Visual Basic Script:<\/p>\n

\"camp_02_deobf.png\"
\n<\/strong><\/strong><\/span><\/span>Execution script and hard-coded plaintext download URL:<\/p>\n

\"camp_02_url.png\"<\/p>\n

Campaign Version Three<\/h2>\n

\"camp_03.png\"<\/p>\n

We also spotted emails with a very generic obfuscated JavaScript downloader inside the Zip archives.<\/p>\n

\"camp_03_obf.png\"<\/strong><\/strong><\/span><\/span><\/p>\n

Here, we saw the same downloader that was featured in Campaign version two. In this case, however, it was just rewritten in JavaScript language.<\/p>\n

Here is the JavaScript after deobfuscation:<\/p>\n

\"camp_03_deobf.png\"
\n<\/strong><\/strong><\/span><\/span>Downloading and executing the Locky malware is the last and final step of all of the three mentioned campaigns.<\/strong><\/p>\n

We also spotted two specific types of download URLs inside the infected documents and archives.<\/p>\n

 <\/p>\n

 <\/p>\n\n\n\n\n
Domain Type 1<\/strong><\/td>\nDomain Type 2<\/strong><\/td>\n<\/tr>\n
ecoledecorroy.be\/1\/1.exeonigirigohan.web.fc2.com\/1\/1.exe<\/p>\n

killerjeff.free.fr\/2\/2.exe<\/p>\n

lasmak.pl\/2\/2.exe<\/p>\n

animar.net.pl\/3\/3.exe<\/p>\n

uponor.otistores.com\/3\/3.exe<\/p>\n

premium34.tmweb.ru\/4\/4.exe<\/p>\n

suicast.de\/4\/4.exe<\/p>\n

bebikiask.bc00.info\/5\/5.exe<\/p>\n

ratgeber-beziehung.de\/5\/5.exe<\/p>\n

proteusnet.it\/6\/6.exe<\/p>\n

test.rinzo.biz\/6\/6.exe<\/p>\n

avp-mech.ru\/7\/7.exe<\/p>\n

luigicalabrese.it\/7\/7.exe<\/td>\n

173.214.183.81\/~tomorrowhope\/09u8h76f\/65fg67n66.133.129.5\/~chuckgilbert\/09u8h76f\/65fg67n<\/p>\n

iynus.net\/~test\/09u8h76f\/65fg67n
\nmondero.ru\/system\/logs\/56y4g45gh45h\u00a0<\/span><\/p>\n

neways-eurasia.com.ua\/system\/logs\/7647gd7b43f43.exe<\/p>\n

tcpos.com.vn\/system\/logs\/56y4g45gh45h<\/p>\n

tramviet.vn\/system\/logs\/7647gd7b43f43.exe<\/p>\n

www.bag-online.com\/system\/logs\/56y4g45gh45h<\/p>\n

choobyta.com\/system\/logs\/23f3rf33.exe<\/p>\n

bitmeyenkartusistanbul.com\/system\/logs\/87h754\/<\/p>\n

shop.havtoto.bget.ru\/system\/logs\/45g456jhyfg
\nwww.iglobali.com\/34gf5y\/r34f3345g.exe<\/p>\n

www.jesusdenazaret.com.ve\/34gf5y\/r34f3345g.exe<\/p>\n

www.southlife.church\/34gf5y\/r34f3345g.exe<\/p>\n

www.villaggio.airwave.at\/34gf5y\/r34f3345g.exe<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n


\n<\/strong><\/strong><\/span><\/span>Malicious documents from campaign version two use a very specific Base64 decode function written in Visual Basic Script, which we also discovered inside other Banker\/Banload\/RAT malware campaigns in Brazil.<\/p>\n

\"vbs_debase.png\"<\/strong><\/strong><\/span><\/span><\/p>\n

 <\/p>\n

Locky file cryptor<\/h1>\n

We first saw samples of Locky spreading without a PE packer, which is strange as malware usually contains generic PE packers to avoid AV detections.<\/p>\n

Below is a graph of newly infected countries, day by day (DD\/MM\/YYYY). There are three peaks, which represent new campaigns targeting different geo-locations. The total count of infected countries is over 160.<\/p>\n


\n\"country_hits.png\"<\/strong><\/strong><\/span><\/span><\/p>\n

 <\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Date<\/strong><\/td>\nCount<\/strong><\/td>\nInfected countries<\/strong><\/td>\n<\/tr>\n
18.02. 2016<\/td>\n18<\/td>\nBrazil, Viet Nam, South Africa, Ghana, Lithuania, Bulgaria, Kuwait, Croatia, Namibia, Germany, France, Spain, Ukraine, Peru, Mexico, Chile, Ecuador, United States<\/td>\n<\/tr>\n
19.02. 2016<\/td>\n24<\/td>\nPhilippines, India, Austria, Lebanon, South Korea, Thailand, Slovenia, Czech Republic, Hungary, Moldova, Belgium, Italy, Greece, Romania, Netherlands, Indonesia, Poland, Morocco, Ireland, Kenya, Bolivia, Costa Rica, Jamaica, Colombia<\/td>\n<\/tr>\n
20.02. 2016<\/td>\n2<\/td>\nMalaysia, Paraguay<\/td>\n<\/tr>\n
21.02. 2016<\/td>\n1<\/td>\nArgentina<\/td>\n<\/tr>\n
22.02. 2016<\/td>\n4<\/td>\nSerbia, Luxembourg, Singapore, Bangladesh<\/td>\n<\/tr>\n
23.02. 2016<\/td>\n2<\/td>\nFinland, Puerto Rico<\/td>\n<\/tr>\n
24.02.2016<\/td>\n12<\/td>\nSri Lanka, Saudi Arabia, Brunei Darussalam, Pakistan, Cambodia, Great Britain, Taiwan, Guatemala, Curacao, Canada, Portugal, Japan<\/td>\n<\/tr>\n
25.02. 2016<\/td>\n4<\/td>\nBosnia and Herzegovina, Azerbaijan, Tunisia, Slovakia<\/td>\n<\/tr>\n
26.02. 2016<\/td>\n22<\/td>\nAustralia, Hong Kong, Israel, Kyrgyzstan, Turkey, Switzerland, Estonia, Sweden, Denmark, Guadeloupe, Russian Federation, Malta, Egypt, Reunion, Norway, China, Martinique, Macedonia, United Arab Emirates, Barbados, Cyprus, Venezuela<\/td>\n<\/tr>\n
27.02. 2016<\/td>\n4<\/td>\nQuatar, Maledives, Zimbabwe, Algeria<\/td>\n<\/tr>\n
28.02. 2016<\/td>\n5<\/td>\nPanama, Jordan, Djibouti, Congo, Uruguay<\/td>\n<\/tr>\n
29.02. 2016<\/td>\n7<\/td>\nGeorgia, Latvia, Uganda, Gabon, Angola, Nigeria, Cameroon<\/td>\n<\/tr>\n
01.03. 2016<\/td>\n6<\/td>\nComoros, Congo, Senegal, Nicaragua, New Caledonia, El Salvador<\/td>\n<\/tr>\n
02.03. 2016<\/td>\n6<\/td>\nNew Zealand, Botswana, Niger, Madagascar, Haiti, C\u00f4te d\u2019Ivoire<\/td>\n<\/tr>\n
03.03. 2016<\/td>\n5<\/td>\nBelarus, Kazakhstan, Iraq, Armenia, Dominican Republic<\/td>\n<\/tr>\n
04.03. 2016<\/td>\n3<\/td>\nMauritius, Benin, Honduras<\/td>\n<\/tr>\n
05.03. 2016<\/td>\n22<\/td>\nZambia, Mali, Liechtenstein, Cabo Verde, Iceland, Yeman, Guernsey, Macao, Palestine, Monaco, Tanzania, Guyana, Bahamas, Bahrain, Togo San Marino, Cook Islands, Malawi, Vatican City State, Vanuatu, Grenada, French Polynesia<\/td>\n<\/tr>\n
06.03. 2016<\/td>\n11<\/td>\nNorthern Mariana Islands, Oman, Seychelles, Nepal, Liberia, Libya, Gibraltar, Andorra, Montenegro, \u00c5land Islands, Saint Kitts and Nevis<\/td>\n<\/tr>\n
07.03. 2016<\/td>\n9<\/td>\nFrench Guiana, Mongolia, Lao People\u2019s Democratic Republic, Tonga, Turkmenistan, Ethiopia, Mozambique, Albania, Swaziland<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

 <\/p>\n

The top 10 countries that have encountered Locky are: France, Italy, Germany, Spain, USA, Great Britain, Poland, Japan, Czech Republic, and Canada.<\/p>\n

Persistence<\/h2>\n

After its execution, the Locky binary is copied to the\u00a0<\/span>%TEMP%\u00a0<\/span><\/i>directory and renamed tosvchost.exe<\/i>, to make it difficult for people to find and delete. The malware then removes the:Zone.Identifier<\/i>\u00a0<\/span>flag from the newly created\u00a0<\/span>svchost.exe<\/i>\u00a0<\/span>file (to bypass the \u201cFile Downloaded from the Internet\u201d warning) and executes it.<\/p>\n

\"zone_ident.png\"<\/strong><\/strong><\/span><\/span><\/p>\n

The first downloaded Locky binary is moved to the\u00a0<\/span>%TEMP%<\/i>\u00a0<\/span>directory, renamed as \u201csys*.tmp<\/i>\u201d and deleted by\u00a0<\/span>cmd.exe<\/i>.<\/p>\n

\"cmd_del_origin.png\"
\n<\/strong><\/strong><\/span><\/span>Locky also sets a registry value to\u00a0<\/span>Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/i>\u00a0<\/span>in case the infected PC is restarted before the malware encrypts all the files. In this case, Locky encrypts the files during the next session.<\/p>\n

\"currentversion_run.png\"
\n<\/strong><\/strong><\/span><\/span>The malware creates a new process with the CommandLine value \u201cvssadmin.exe Delete Shadows \/All \/Quiet<\/i>\u201d and deletes stored data from Volume Shadow Copy Service. This action prevents a backup retrieval or system restore from previous saved data on an infected computer.<\/p>\n

\"mountvol_olly.png\"
\n<\/strong><\/strong><\/span><\/span>The malware then adds a \u201ccompleted=1<\/i>\u201d value to the Locky registry key and deletes the previously added ..\\CurrentVersion\\Run<\/i>\u00a0<\/span>value after encrypting all possible files. It also opens an instruction text file,creates an image file from txt and sets an instruction image as the computer\u2019s desktop wallpaper.<\/p>\n

\"completed_after_encrypt.png\"
\n<\/strong><\/strong><\/span><\/span>The malware\u2019s process is closed and the malicious\u00a0<\/span>svchost.exe<\/i>\u00a0<\/span>file is deleted from the\u00a0<\/span>%TEMP%<\/i>directory in the last step.<\/p>\n

C&C servers<\/h2>\n

Locky contains hard-coded IP addresses of C&C (Command and Control) servers and also uses a domain generation algorithm, which is probably used as a backup in case the main hard-coded IPs are blocked.<\/p>\n

C&C servers are used for reporting infections and to exchange encryption keys.<\/p>\n

\"communication_wire.png\"<\/strong><\/strong><\/span><\/span><\/p>\n

 <\/p>\n

Domain Generation Algorithm (DGA)<\/h3>\n

The original domain generation algorithm was based on two hard-coded seeds and the current system time of an infected machine. This DGA version generates six unique domains every two days.<\/p>\n

\"dga.png\"
\n<\/strong><\/strong><\/span><\/span>The authors decided to change the DGA by a less deterministic algorithm after a quick domains block or sinkhole from AVs. This version of DGA is now based on seed value hard-coded to malware binary and this seed can be changed at any time or in every sample. It also generates eight unique domains every two days.<\/p>\n

\"dga2.png\"
\n<\/strong><\/strong><\/span><\/span>Both versions use the following Top Level Domains:<\/p>\n

.be, .de, .eu, .fr, .in, .it, .nl, .pm, .pw, .ru, .tf, .uk, .us, .yt.<\/i><\/p>\n

You can download both DGA Python scripts\u00a0<\/span>here\u00a0<\/span><\/a>and\u00a0<\/span>here<\/a>.<\/p>\n

List of hard-coded IP addresses:<\/p>\n


\n<\/strong><\/strong><\/span><\/span><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Hard-coded IP<\/strong><\/td>\nISP\/Organization\/Geolocation<\/strong><\/td>\nResolved IP<\/strong><\/td>\n<\/tr>\n
5.34.183.136<\/td>\nUa Servers, UA<\/td>\nskaldin.uaservers.net<\/td>\n<\/tr>\n
31.41.47.3<\/td>\nRelinkRoute, Relink LTD, RU<\/td>\n31.41.47.3<\/td>\n<\/tr>\n
31.41.47.37<\/td>\nRelinkRoute, Relink LTD, RU<\/td>\ncasader.ce<\/td>\n<\/tr>\n
31.184.233.106<\/td>\nVirty.io Network, Virty.io, RU<\/td>\n31.184.233.106<\/td>\n<\/tr>\n
46.4.239.76<\/td>\nHetzner-rz-fks, ObjectNova, DE<\/td>\nstatic.76.239.4.46.clients.your-server.de<\/td>\n<\/tr>\n
85.25.138.187<\/td>\nPlusServer AG, BSB-Service GmbH, DE<\/td>\necho509.dedicatedpanel.com<\/td>\n<\/tr>\n
86.104.134.144<\/td>\nOne Telecom SRL, MD<\/td>\n144.onetelecom.md<\/td>\n<\/tr>\n
91.121.97.170<\/td>\nOvh Isp, Ovh Sas, FR<\/td>\nns353643.ip-91-121-97.eu<\/td>\n<\/tr>\n
91.195.12.185<\/td>\nHost4.Biz, PE Astakhov Pavel Viktorovich, UA<\/td>\n91-195-12-185.net.host4.biz<\/td>\n<\/tr>\n
91.234.33.206<\/td>\nFOP Sedinkin Olexandr Valeriyovuch, UA<\/td>\nclient.thehost.com.ua<\/td>\n<\/tr>\n
94.242.57.45<\/td>\nNET Network & vStoike.com DC, RU<\/td>\nmail.hsaworkshop.ru<\/td>\n<\/tr>\n
95.181.171.58<\/td>\nQwarta.ru, QWARTA LLC, RU<\/td>\n95.181.171.58<\/td>\n<\/tr>\n
109.237.111.168<\/td>\nAdman, Krek Ltd., RU<\/td>\n109.237.111.168<\/td>\n<\/tr>\n
109.234.38.35<\/td>\nVdsina, RU<\/td>\nqikos.sa<\/td>\n<\/tr>\n
185.14.29.188<\/td>\nCamper Solutions, NL<\/td>\nskaldin11.example.com<\/td>\n<\/tr>\n
185.14.30.97<\/td>\nCamper Solutions, NL<\/td>\nvepliok.pq<\/td>\n<\/tr>\n
185.46.11.239<\/td>\nAgava, RU<\/td>\nkvm17915.hv9.ru<\/td>\n<\/tr>\n
185.82.216.213<\/td>\nItldc1-sof1, BG<\/td>\nskaldin21.example.com<\/td>\n<\/tr>\n
188.138.88.184<\/td>\nPlusserver AG, intergenia AG, DE<\/td>\nxray730.dedicatedpanel.com<\/td>\n<\/tr>\n
192.71.213.69<\/td>\nRIPE Network Coordination Center. FR<\/td>\n335.ES.multiservers.xyz<\/td>\n<\/tr>\n
192.121.16.196<\/td>\nEDIS GmbH, AT<\/td>\n335.NL.multiservers.xyz<\/td>\n<\/tr>\n
193.124.181.169<\/td>\nMAROSNET Telecommunication Company Network, RU<\/td>\ntest.ru<\/td>\n<\/tr>\n
195.154.241.208<\/td>\nOnline SAS, FR<\/td>\n304.worldit.xyz<\/td>\n<\/tr>\n
212.47.223.19<\/td>\nLINXTELECOM Linx Telecommunications B.V., EE<\/td>\nought-scan.retirecompet.com.223.47.212.in-addr.arpa<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n


\n<\/strong><\/strong><\/span><\/span>Nine servers are located in Russia, three in Germany and the rest is in France, Ukraine, theNetherlands, Austria, Bulgaria, Estonia and Moldova.<\/p>\n

C&C communication<\/h2>\n

All C&C requests are in a specific format:<\/p>\n

HTTP\/1.1 POST http:\/\/{hardcoded_IP_or_DGA}\/.main.php?{parameters}<\/i><\/p>\n

Parameters<\/h3>\n

The malware computes a User ID and gathers some information about the infected machine. The User ID isn’t randomly generated, but is instead computed as a MD5 hash of volume mount point GUID from the infected machine\u2019s hard disk. The GUID can be displayed if the cmd.exe is run and the \u201cmountvol\u201d command is entered.<\/p>\n

\"mountvol_olly.png\"
\n<\/strong><\/strong><\/span><\/span>Locky checks the infected device\u2019s operating system version and checks if it is a 32\/64 bit version, has the original installed service pack and which language the PC is set to, to determine in which language it should show the ransom message. The parameters AffiliateID, C&C command and two others parameters &corp= and &serv= are also requested by the C&C server.\u00a0<\/span>The\u00a0<\/span>Affiliate ID value is hard-coded inside Locky\u2019s binary. We found AffiliateIDs with the values 0, 1 and 3.<\/p>\n

All parameters merged together:<\/p>\n

\"request.png\"<\/p>\n

Parameters of Locky C&C command \u201c&act=<\/i>\u201d:<\/p>\n


\n<\/strong><\/strong><\/span><\/span><\/p>\n\n\n\n\n\n\n\n
Parameter<\/strong><\/td>\nAction<\/strong><\/td>\n<\/tr>\n
getkey<\/td>\nRequest public RSA key.<\/td>\n<\/tr>\n
stats&path + encrypted, failed, length<\/td>\nGlobal statistics of encryption and paths of encrypted files.<\/td>\n<\/tr>\n
report&data<\/td>\nList of all encrypted files.<\/td>\n<\/tr>\n
gettext&lang<\/td>\nRequest Locky language files.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n


\n<\/strong><\/strong><\/span><\/span>The entire malware traffic is encrypted with two different algorithms for incoming and outgoing data — both algorithms contain specific hard-coded keys. Both incoming and outgoing traffic data includes a MD5 hash as a CRC of the data content.<\/p>\n

\"traffic_decrypt.png\"<\/strong><\/strong><\/span><\/span><\/p>\n

 <\/p>\n

File encryption<\/h2>\n

The malware starts encrypting files only after it reports the infection to the C&C server and gets back the RSA public key. Locky does not begin encrypting files without a requested RSA key or when a device is disconnected from the Internet. Public and private RSA keys for every infection are generated on the server\u2019s side, so manual decryption is impossible.<\/p>\n

Attackers use RSA-2048 + AES-128 cipher with ECB mode for file encryption. All encrypted files are renamed to form\u00a0<\/span>{USERID}{random_hash}<\/i>\u00a0<\/span>with .locky extension.<\/p>\n

\"crypto.png\"<\/strong><\/strong><\/span><\/span><\/p>\n

 <\/p>\n

Affecting file types<\/h2>\n

Locky malware can encrypt 164 file types that can be broken down into 11 categories:<\/p>\n


\n<\/strong><\/strong><\/span><\/span><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Office\/Document files (62x):<\/td>\n.123, .602, .CSV, .dif, .DOC, .docb, .docm, .docx, .DOT, .dotm, .dotx, .hwp, .mml, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .pdf, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .PPT, .pptm, .pptx, .RTF, .sldm, .sldx, .slk, .stc, .std, .sti, .stw, .sxc, .sxd, .sxi, .sxm, .sxw, .txt, .uop, .uot, .wb2, .wk1, .wks, .xlc, .xlm, .XLS, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml<\/td>\n<\/tr>\n
Scripts\/Source codes (23x):<\/td>\n.asm, .asp, .bat, .brd, .c, .class, .cmd, .cpp, .cs, .dch, .dip, .h, .jar, .java, .js, .pas, .php, .pl, .rb, .sch, .sh, .vb, .vbs<\/td>\n<\/tr>\n
Media files (20x):<\/td>\n.3g2, .3gp, .asf, .avi, .fla, .flv, .m3u, .m4u, .mid, .mkv, .mov, .mp3, .mp4, .mpeg, .mpg, .swf, .vob, .wav, .wma, .wmv<\/td>\n<\/tr>\n
Graphic\/Image files (14x):<\/td>\n.bmp, .cgm, .djv, .djvu, .gif, .jpeg, .jpg, .NEF, .png, .psd, .raw, .svg, .tif, .tiff<\/td>\n<\/tr>\n
Database files (14x):<\/td>\n.db, .dbf, .frm, .ibd, .ldf, .mdb, .mdf, .MYD, .MYI, .odb, .onenotec2, .sql, .SQLITE3, .SQLITEDB<\/td>\n<\/tr>\n
Archives (11x):<\/td>\n.7z, .ARC, .bak, .gz, .PAQ, .rar, .tar, .bz2, .tbk, .tgz, .zip<\/td>\n<\/tr>\n
CAD\/CAM\/3D files (8x):<\/td>\n.3dm, .3ds, .asc, .lay, .lay6, .max, .ms11, .ms11 (Security copy)<\/td>\n<\/tr>\n
Certificates (5x):<\/td>\n.crt, .csr, .key, .p12, .pem<\/td>\n<\/tr>\n
Virtual HDD (4x):<\/td>\n.qcow2, .vdi, .vmdk, .vmx<\/td>\n<\/tr>\n
Data encryption (2x):<\/td>\n.aes, .gpg<\/td>\n<\/tr>\n
Virtual currency (1x):<\/td>\nwallet.dat<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Because the file type range is very wide, this malware can also affect a large number of businesses. Especially interesting are the.ms11<\/i>\u00a0<\/span>file types, which are created by the CAD application used for printed circuit boards. File types from the Virtual HDD category are also interesting, as they are used by many developers, testers or virtualized business solutions.<\/p>\n

Locky also adds \u201c_Locky_recover_instructions.txt\u201d file to every directory with encrypted files and also sets \u201c_Locky_recover_instructions.bmp\u201d as desktop wallpaper.<\/p>\n

Locky encrypts files on all fixed drives, removable drives and also on RAM disk drives. Remote drives are not affected.<\/p>\n

\"affecting_disks.png\"<\/strong><\/strong><\/span><\/span><\/p>\n

We discovered some changes inside the newer Locky binary version. The algorithm is more precious and accurate now.<\/p>\n

\"affecting_disks2.png\"
\n<\/strong><\/strong><\/span><\/span><\/p>\n

Exclusion of Russian PCs<\/h3>\n

The newer version of the malware contains a new hard-coded config value to disable Locky\u2019s encryption on PCs whose locale is set to Russia or whose language is set to Russian (0x19). The hard-coded config value also determines how long Locky should remain dormant after its execution to avoid sandbox detections.<\/p>\n

\"exclude_ru.png\"
\n<\/strong><\/strong><\/span><\/span><\/p>\n

Configuration structure<\/h3>\n

Malware samples from the newer version contain hard-coded configuration data. Included are AffiliateID\u00a0<\/span>(DWORD)<\/i>, DGA seed value\u00a0<\/span>(DWORD)<\/i>, count of second for Sleep\u00a0<\/span>(DWORD)<\/i>, create%TEMP%\\svchost.exe (BYTE)<\/i>, set Locky to\u00a0<\/span>\\CurrentVersion\\RUN<\/i>\u00a0<\/span>registry\u00a0<\/span>(BYTE)<\/i>, exclude RU machines and list of hard-coded IPs.<\/p>\n

\"config.png\"
\n<\/strong><\/strong><\/span><\/span><\/p>\n

Locky payment method<\/h1>\n

Locky\u2019s payment system for decrypting files is the same as that of numerous other ransomwares. Locky\u2019s website is hidden inside the Tor network and the ransom can only be paid with BitCoins. The decryption price is likely based on how many files are encrypted and the ransom value typically starts at 0.5 BitCoins.<\/p>\n

Locky\u2019s decryptor can be found on the following TOR sites:<\/p>\n

6dtxgqam4crv6rr6.onion<\/i><\/p>\n

i3ezlvkoi7fwyood.onion<\/i><\/p>\n

lpholfnvwbukqwye.onion<\/i><\/p>\n

twbers4hmi6dc65f.onion<\/i><\/p>\n

Locky\u2019s authors changed the design of the decryptor webpage during its campaign.<\/p>\n

Original design:<\/p>\n

\"tor_page.png\"
\n<\/strong><\/strong><\/span><\/span>New design:<\/p>\n


\n\"tor_page_new.png\"
\n<\/strong><\/strong><\/span><\/span>You can download the Locky decryptor after the payment has been verified. The decryptor contains a hard-coded private RSA key and it\u2019s also possible to decrypt files with other stored key files using the\u00a0<\/span>\/key:\u00a0<\/span><\/i>parameter.<\/p>\n

\"decryptor.png\"<\/p>\n

Traces<\/h1>\n

Inside some of Locky\u2019s malicious documents, we uncovered several strings which shed light on the malware\u2019s authors. As previously mentioned, the Locky creators are probably the same or closely connected to the Dridex group, as they use the same obfuscation techniques and spam email campaign.<\/p>\n

We also suspect that the authors are from Russia, because many of their C&C servers are there and because they added a function to the newer Locky binary to exclude Locky from infecting Russian PCs.<\/p>\n

While taking a close look at Locky\u2019s strings, we discovered that certain malicious documents contained file path strings that include PC user names. Yikes!<\/p>\n

\"trace_01.png\"<\/p>\n

\"trace_02.png\"<\/h1>\n

Conclusions<\/h1>\n

Locky ransomware is currently a big player in the malware sphere. When looking into Locky, we can see all top features, such as a time-based DGA system, huge spam email campaigns, various scripting languages, generic PE packers, server-side encryption key generation and Tor\/BitCoin payment.<\/p>\n


\n<\/strong><\/strong><\/span><\/span>The authors of Locky are skilled and are developing Locky further. They reacted to the AV industry blocking their C&C server infrastructure by changing the DGA algorithm and also patched some minor bugs in the newer version.<\/p>\n


\n<\/strong><\/strong><\/span><\/span>File encryption malware is currently very popular and can be very profitable. We therefore predict new ransomware families will emerge this year.<\/p>\n

How to stay safe<\/h1>\n