Locky Ransomware Arrives via Email Attachment

By on

Locky is a new ransomware threat being spread via spam campaigns. This new malware has capabilities similar to those of Dridex.

Locky arrives in a Microsoft Office email attachment that evades antispam filters (among other things) and attempts to trick users via social engineering into opening the attachment. Once running, Locky encrypts numerous files using RSA-2048 and AES-1024 encryption, and then demands that its victims pay a ransom to restore their files.

20160310 Rivero Locky 1

Spam email delivering Locky ransomware.

 

We used oledump to extract the macro:

A: word/vbaProject.bin
A1: 533 ‘PROJECT’
A2: 95 ‘PROJECTwm’
A3: 97 ‘UserForm1/\x01CompObj’
A4: 290 ‘UserForm1/\x03VBFrame’
A5: 131 ‘UserForm1/f’
A6: 180 ‘UserForm1/o’
A7: M 34196 ‘VBA/Module1’
A8: M 1537 ‘VBA/ThisDocument’
A9: m 1336 ‘VBA/UserForm1’
A10: 6917 ‘VBA/_VBA_PROJECT’
A11: 1391 ‘VBA/__SRP_0’
A12: 110 ‘VBA/__SRP_1’
A13: 292 ‘VBA/__SRP_2’
A14: 103 ‘VBA/__SRP_3’
A15: 790 ‘VBA/dir’

The .doc file contains some embedded macros to download Locky and infect the machine. In this case, the URL was:

  • hxxp://olvikt.freedomain.thehost.com[.]ua/admin/js/7623dh3f.exe

Malware details

The malware has some protections against researchers and sandbox systems:

20160310 Rivero Locky 2

Antidebug functions.

To fingerprint the environment, the author implemented some API calls to evade automatic systems:

20160310 Rivero Locky 3

API calls requested by Locky.

 

Malware behavior

Locky creates a copy of itself in the follow directory:

  • C:\Users\Admin\AppData\Local\Temp\sysC4E6.tmp

During the infection, Locky creates some registry keys:

20160310 Rivero Locky 4

Registry keys.

  • HKCU\Software\Locky\id: A unique ID assigned to the victim.
  • HKCU\Software\Locky\pubkey: RSA public key.
  • HKCU\Software\Locky\paytext: Ransom note text.
  • HKCU\Software\Locky\completed: Ransom note text.
  • HKCU\Control Panel\Desktop\Wallpaper (“%UserProfile%\Desktop\_Locky_recover_instructions.bmp”): Changing the wallpaper to show the ransom demand.

 

20160310 Rivero Locky 5

Locky wallpaper.

In a way similar to other ransomware families, Locky hosts additional ransom notes on various Tor domains. Because many users are unfamiliar with Tor, Locky helps its victims by providing instructions on how to use services such as tor2web, which makes it easier to access the hidden service.

On the infected machine we also find the .txt file with the ransom note:

20160310 Rivero Locky 6

Locky ransom note.

Locky searches for many file types to encrypt:

.asm, .c, .cpp, .h, .png, txt, .cs, .gif, .jpg, .rtf, .xml, .zip, .asc, .pdf, .rar, .bat, .mpeg, .qcow2, .vmdk .tar.bz2, .djvu, .jpeg, .tiff, .class, .java, .SQLITEDB, .SQLITE3, .lay6, .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .potx, .potm, .pptx, .pptm, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .dotm, .dotx, .docm, .docx, wallet.dat, etc.

Locky also eliminates any shadow copies:

20160310 Rivero Locky 7

Vssadmin command to delete shadow copies.

 

Locky infrastructure

After accessing the hidden Tor site, users see the following page:

20160310 Rivero Locky 8

Locky decryption page.

If we track the wallet, we get an insight into how many users have paid to recover their data:

20160310 Rivero Locky 9

Locky uses traditional control server infrastructure, and request a /main.php file:

20160310 Rivero Locky 10

POST requests.

20160310 Rivero Locky 11

Locky trying to communicate with its control server.

Locky also has domain generation algorithm (DGA) capabilities for the control server infrastructure. If we analyze the traffic, we can see requests to some DGA domains:

20160310 Rivero Locky 12

DNS requests to different control servers.

Every day, Locky tries to connect to different DGA domains around the world:

20160310 Rivero Locky 13

Locations of Locky DGA domains.

 

Connection with Dridex

During our analysis of some Locky campaigns, we noticed that they appear to share the same infrastructure as Dridex.

 

Indicators of compromise

A partial list of Locky hashes detected by McAfee Labs:

  • d4dc820457bbc557b14ec0e58358646afbba70f4d5cab2276cdac8ce631a3854
  • d159fe802f509b67d319ea916cc6a052035a0c0f4412406b6b78d7db4d4035fc
  • 5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8
  • 40f62d6dfa7d2429c8e1085f1460907d82cc6a48399038c07bdc5b38792f75b3
  • bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
  • 0537fa38b88755f39df1cd774b907ec759dacab2388dc0109f4db9f0e9d191a0
  • 4725019fb0a4574d1ad42bfa481ba1992002fe60811829a89955b3e538611123
  • 85e6adb499916a6557b2beebcf44f0872908a2d2705058bfacc9d7bc4c5bc43e
  • e720f917cd8a02b0372b85068844e132c42ea2c97061b81d378b5a73f9344003
  • 17c3d74e3c0645edb4b5145335b342d2929c92dff856cca1a5e79fa5d935fec2
  • d4ff4b73d7e89f80d78239a349c0197022c9d9306e5b59fdb71894040bc36489
  • 48a84c3ecf57ffdb474f61edb43634c32663be2466e4c489ec11e029fc70c042
  • acee75cd346795ceb02fc30aa822d13c4132e64fd36b5244dd822199a5a0c0a7
  • 976059c030c256db4a22d0fcbf2372cc3320877025154b5efeb3f7a1a26b1774
  • 8fa81c2bce89adcb1cc246761775ebbf29cbc444be78c7a58a465f76f1cdf6c8
  • 2cbf3ac4f304fa711e23d6a8a762451b7b06550d56b7bd688d4c6d1bee9984db
  • 02b00f7615e1fd9091d947dad00dfe60528d9015b694374df2b5525ea6dd1301
  • 77d66d710acddbe66a4f88b9db8775466a35948bad8716c188490ae0aca9a2f9
  • 2a40da48c9dc3e20bc6e30c986306ceccbc2d8be55b355b7a73d95c1a54319a4
  • 8842974b86c6101a5bbb18dc16dea293e4eb7a9656dbee241ecce7a677d2cdfc
  • 4fd7543247c1f7f2fb5d1c7f99b52ad0a41fb07aa9f388c46a6c5920a848c19a
  • eb4d53a92e703d075787cebd97e06d1427d230f4872052a20f5d2f508fe1f663
  • 56fc23c1eb3c4ea5f9f7911d8bfa0af6df762eb6e22d002ddad562568606acc0
  • 3402902877ddfa71190745690048f6a6b77b9999083305b6fea52b0dfe03bec8
  • 68244d5204518ab8b7f3564577b2bcc98c8fe0ea0aee39aa5518ffb5cf2689dc
  • a588eb64872257a23a1171c3dd8b79cff048fac5b3c1dac538e6ec03658a72f5
  • 6a1c3a7498b3af751455d2e6b7fc45f0304c6946d59b389ec068686985b3e3d8
  • 74ae3c7bbc041639c52e298f1e0334c52ba8c1126eb0daf94fbb7bee40a831f9
  • c543841ad16edfcf1098dffb9d4f656da5ac0f54857a2ffb79a799b305682053
  • b7404bed5dbb05463e1cad915a31e2a59b5dc7fe36c5bb901196fdd072ee1591
  • 204068d89b32659c9872bae0197e56acddca26e20523e337991df0f46d608469
  • bbd7dcc8a064e73f1ef8f17feb7e7f8bc2f91bc90bbce03695e952c4c1acfa86
  • a7c67bd2a6e4c7902f70a4f44242bdd073aea34f6e0b29491de4ddeed8a879f0
  • 01002fef15f67941430c8a7e0c841583bf3eb67907e79310218e5ba3668e4997
  • 59f6b5e8b1829902c9b915c3c7a6f8842445e4f9508710d4bcacdb1f80fdc2ef
  • 177bb96ae04cac947092c28957121be9001d2a347141d22a14aa6474d099dd33
  • bd12b97e2c0e80c899ac3fc595e46f4b5938e1e38c345195a535d25e0dd2d565
  • 30587ec7becbff5e55f6effdd22075568d80eb4a06ce3104502d4d76004e16f3
  • 36ded79221d444903554d693f5d93a5acada2454240da45b9a5257229eb21143
  • fb607732ec2e3393634b2ccb8a028ad5b77ad0d01ef4a682bcc3c9e40e5bd186
  • a62ebda2177dcaa163f49df590824213e1dca317f4c5d607d0edc806f0bc598c
  • 210098efe6c332d372873e227f3d62a6f9630110746f775c4714a0d3805cfa09
  • d3654c1683a7596d3248aa8014e089162dd3c5f9075ee4791faa740f92f3068d
  • 1b6b9079a36d36d94e4da712e315ff8c29e12513b001c9ae2af23fdb6a0b30a5
  • 0a809215d4845bdc11b87b07a6c2a6acfc6ad837f6ce56abbde4cf7e03efc684
  • fc8e858023506da14dcdf7c581332bf961816cac3c342660f3a75949a366fa7b
  • 5236d1e0f508409f8efe60cd4ccef67f4ce57fa40184849c16a1918f63d58573
  • 09f3adee80045971982f1183607c4c8315c6e375a2e66b3ea8aa40d685d09cb6
  • 214c0232e8543c80c7c6010319524231beab9d8689b8295f7e13296de886c15c
  • e28753324b22939b239ca234cdc25daa16ed318d98b6430ea941d8bbbf418cad
  • 3b2507071a8ba09e223ffbfa8315e6d3537be2042d54166f5a698049e7a6a2b1
  • 7ce2f7f147b442079a978dca43de24105b2c3cde254dc76c7d6be165d8cf8d7e
  • fc4d893ae0f496f13581abc708ef045d067fa7af5a06a9a1c3631f8c8b74d0df
  • ee6abe4a9530b78e997d9c28394356216778eaf2d46aa3503999e7d6bfbefe90
  • b1465aa094decb4d5749bdf5ed5df8da98cecea900ec719c45c2e2d630062934
  • 5cacccb46693962c67a3aef0df9a538201a44d309993915057e98b00b59cf7c3
  • a9bba5afdb85f0b65493356ddb0b3bb29a3a9b311fc4435f04610ff05eba508e
  • c866dcfa95c50443ed5e0b4d2c0b63c1443ad330cb7d384370a244c6f58ce8a5
  • 240b43dfc2712d7d40312e760bcca5f9c7c259bbfa115c866127027346cb2fa3
  • 3eb1e97e1bd96b919170c0439307a326aa28acc84b1f644e81e17d24794b9b57
  • 7a0602fffb1565eabb6a34016dc8692a08209b152aa490935fdcb4ac18ecddb4

Leave a Comment

Similar articles

At the end of last year, a survey revealed that the most popular password was still “123456,” followed by “password.” These highly hackable choices are despite years of education around the importance of password security. So, what does this say about people who pick simple passwords? Most likely, they are shooting for a password that is ...
Read Blog
If you’re a gamer, you know how important virtual currency is. It allows you to purchase new costumes and weapons to personalize your avatar. But how does one go about gaining virtual currency? Players complete in-game challenges and are rewarded with coins to spend in their virtual world. These challenges can be pretty difficult and ...
Read Blog
Holiday stress. Every year, come November, my resting heart rate starts to rise: the festive season is approaching. Not only is there so much to do but there’s so much to spend money on. There are presents to purchase, feasts to prepare and party outfits to buy. Throw in a holiday to fill the long ...
Read Blog