Locky is a new form of ransomware which has made headlines by holding three hospitals’ data hostage recently and encrypts a broad range of document and media formats before displaying ransom screens to infected users with payment instructions. A typical decrypt ransom is around $200 per infected system, with the Hollywood Presbyterian Medical Center in Los Angeles paying the equivalent of $17,000 in Bitcoin.
Overview: Explosive Growth
In the first few weeks of its emergence in February, Locky was spread using malicious document attachments. Users who activated the macros in these documents unknowingly downloaded the main malware component from servers which have been linked to the botnet used by infamous banking Trojan Dridex (as reported by Trustwave’s SpiderLabs).
A review of the outbreak history shows multiple new variants on a daily basis. The frequency of these scripts being mutated and obfuscated in short periods of time shows that the group behind this campaign is very active, and also suggests that the group regularly checks if their scripts are being detected by anti-malware products.
Main Target: European and American Businesses
As shown in the graphs above, the surge of emails occurred during weekdays and between working hours (attacks are usually 12:00 – 20:00 UTC), which would suggest that this campaign targets email recipients who are most likely to open messages while at work in European and American companies. This means that there is a high probability that victims of the attack would execute the malicious attachment on a company device resulting in encryption of highly valuable data and files. In this scenario, businesses would more likely pay the ransom to recover precious data.
How It Works: Executable Unpacking
Upon execution of the core component, it disables the file system redirection by calling Wow64DisableWow64FsRedirection.
Before proceeding with its malicious routines, it checks the language identifier for the system locale.
If the language identifier matches the Russian LangID, it moves itself to %temp%\sys<random>.tmp, before deleting itself via the following command and terminates its own process:
cmd.exe /C del /Q /F <path to temp filename>
Otherwise, the following registry key is created…
…and checks for the following registry entries under the Locky registry key:
It would then drop and execute a copy of itself in %temp%\svchost.exe, and gather system information that it sends to its command and control server (C&C), which includes a unique ID generated for the affected system. The raw data sent to the C&C looks like this (with modifications per infected system):
The ID is generated by retrieving the first eight bytes of the MD5 hash of the affected system’s volume path GUID.
Listed in the table below are CnC server IP’s from some of the Locky variants that we have analyzed.
To prevent the user from restoring files from backup, Locky executes the following command:
vssadmin.exe Delete Shadows /All /Quiet
An auto start entry is also added in the registry to ensure its execution every time the system starts.
This ransomware searches for files having file extensions listed in the table below and encrypts them, renaming the files using the generated system ID from the affected machine appended with a random 8-byte hash value and ‘.locky’ file extension.
Ex. [system id][random 8 byte hash].locky
.ms11 (Security copy)
Locky does not encrypt files that are found in paths listed in the table below to prevent the system from crashing.
Program Files (x86)
System Volume Information
Furthermore, Locky can also encrypt files from network share even if these shares are not mapped to a local drive.
After encrypting files, it sets the ‘completed’ registry entry’s value to 1 and fills up the other registry entry values:
It then changes the desktop wallpaper to a ransom note giving the instructions the user should follow to recover the encrypted files. Along with this, a text copy of the ransom note with a file name of _Locky_recover_instructions.txt is also dropped in every folder where files have been encrypted.
Strong Gateway Protection
- CYREN WebSecurity detects and blocks outbound web connections to malicious Locky URLs, hosts, and domains trying to download the ransomware payload. Enterprise customers will also be protected by CYREN WebSecurity 3.0, which will be released on March 31, 2016. It includes a new Advance Threat Protection capability that utilizes a multi-sandbox array to identify, analyze, and block new, never-before-seen Locky variants.
- CYREN Cyber-Intelligence detects Locky-related threats in both email and web traffic, enabling OEM customers to deliver strong ransomware protection to their end users and customers.
Other Best Practices
In addition to Internet security protection at the web and email gateway, businesses should implement a multi-layered security approach that includes strong endpoint protection, and a robust data backup capability to ensure that ransomware infections don’t cripple your business. This needs to include strong end-user education about cyber security, training users to be very vigilant when opening emails from unknown sources and avoiding opening attachments that are executable. Microsoft Office macros should always be disabled (which they are by default).