Locky Ransomware on Rampage With JavaScript Downloader

By on

Locky is a ransomware family that encrypts victims’ files and demands money to decrypt the files. It has infected many computers in a short time due to a huge spam campaign.

Propagation vector                                                                                  

Locky ransomware propagates onto victims’ systems through a widespread spam campaign using an attached Microsoft Word document with maliciously crafted macros. Recently, however, the malware has shifted to an attached, obfuscated JavaScript file. On execution it downloads Locky ransomware and installs on the victim’s computer.

We believe the change to JavaScript is to evade antimalware products due to its obfuscation and small size, which suggests the file is benign. At McAfee Labs we examined one of the JavaScript examples:

mailcontent

After extracting the file, we saw an obfuscated JavaScript whose content looks benign. After deobfuscation, however, we found Locky ransomware:

Javascriptcontent

 

Analysis

The downloaded Locky ransomware is compressed and uses a PLib-depack function for decompression. It employs the Wow64DisableWow64FsRedirection function to disable file system redirection for the calling thread.

On execution, the malware checks whether the operating system is Russian:

langcheck

If the system operating system is Russian, the malware deletes itself. Otherwise it starts the infection of the victim’s machine by adding the Locky footprint in HKCU\Software\Locky:

Lockyregkey1

Locky calls the GetVolumeNameForVolumeMountPoint function and retrieves a volume GUID path for the volume that is associated with the specified volume mount point. From the retrieved data, using Microsoft’s cryptographic function API, the malware calculates the MD5 hash:

MD5hashalog

Later, Locky retrieves system information such as OS name, service pack, OS, language, and unique ID.

sysdatab4encryp

 

Control server communications

The collected system information is encrypted with the following encryption code:

sysdataafterencryp

After the system information is encrypted, it is posted to attacker’s control server.

C2post

The control servers are hardcoded in this sample:

  • 31[dot]41[dot]47[dot]37
  • 188[dot]138[dot]88[dot]184
  • 91[dot]121[dot]97[dot]170
  • 5[dot]34[dot]183[dot]136

The replies from the control server are decrypted by the malware with the following decryption code:

inbouddecrytion

After successful infection the malware stores user ID, ransom note and RSA public key, and completed value name under the Locky registry key:

lockyregkey2

Encrypted file types 

The malware searches and encrypts the victim’s files with the following file extensions and renames them with .locky.

filetypeencryption

Ransomware notice 

After file encryption, the malware changes the desktop background to the recovery-instruction image, which clearly states the procedure to get the private key and decrypt the files.

notice

On following the link to get private key, the victim lands on the payment procedure page, and can buy the Locky decryptor:

lockydecyptor

Detection coverage

All McAfee products detect the JavaScript and downloaded Locky file as malicious.

filedetection1filedetection2

 

Sample MD5s:

  • 2C01D031623AADA362D9CC9C7573B6AB
  • 3F118D0B888430AB9F58FC2589207988

Update March 8: Locky is not the ransomware associated with the recent well-publicized attack on a Southern California hospital.

Categories: McAfee Labs

9 comments on “Locky Ransomware on Rampage With JavaScript Downloader

  • on around March 31, 2016, this locky virus went right through our McAfee! why?
    and I even scan the OneDrive folder where I can see Locky files and McAfee won't even find it!
    Why?

    how to solve?

    I'm running MalWarebytes now.

    Reply
    • Venkatachalabathy SR says:

      McAfee antivirus and other McAfee product like Advance Threat Defense (ATD) , have coverage for most of the recent Locky binaries . please update the McAfee products regularly and if you still come across any malicious locky binaries missed in detection please submit to us and we will provide detection for it.

      Reply
  • Edgar Melecio says:

    Sincerely, all users expect a few things from an Antivirus/Security product.

    1) We need to know how to ensure all products are ready to prevent this. What version/patch is required ?

    2) Which steps we can do to prevent this from happening ( example : block Javascript or make it at least avoid it from running automatically??? )

    3) how can we do a quick detect of the virus? Can we see if we HAD the virus?

    4) In this particular case, can we block que virus from spreading ????

    Reply
    • Venkatachalabathy SR says:

      To prevent the threats , always update the security and system products regularly.
      To avoid running the Java script automatically , it can be blocked in browser "content settings" .
      To prevent malicious files from running macros "disable all except digitally signed macros" in Microsoft Word , it can done through Trust center setting options in Microsoft word.

      Reply
  • Brett Richards says:

    If the file encryption routines are known then is there any decryption software available to recover affected files.

    Reply
    • Venkatachalabathy SR says:

      Decryption of affected files require private key which is only present in attacker C&C server , so decryption is not possible.

      Reply
  • You explained all about the virus and what it does, but did not mention anything about what to do about it.

    Reply
    • Venkatachalabathy SR says:

      To prevent the infection, Don't open the mail attachments when you are not sure about it and don't enable any macros unless they are digitally signed . Always backup of your data and make sure that system software's and Antivirus/AntiMalware product are updated regularly.

      Reply

Leave a Comment