Locky Ransomware Arrives via Email Attachment

By on Mar 11, 2016

Locky is a new ransomware threat being spread via spam campaigns. This new malware has capabilities similar to those of Dridex.

Locky arrives in a Microsoft Office email attachment that evades antispam filters (among other things) and attempts to trick users via social engineering into opening the attachment. Once running, Locky encrypts numerous files using RSA-2048 and AES-1024 encryption, and then demands that its victims pay a ransom to restore their files.

20160310 Rivero Locky 1

Spam email delivering Locky ransomware.

 

We used oledump to extract the macro:

A: word/vbaProject.bin
A1: 533 ‘PROJECT’
A2: 95 ‘PROJECTwm’
A3: 97 ‘UserForm1/\x01CompObj’
A4: 290 ‘UserForm1/\x03VBFrame’
A5: 131 ‘UserForm1/f’
A6: 180 ‘UserForm1/o’
A7: M 34196 ‘VBA/Module1’
A8: M 1537 ‘VBA/ThisDocument’
A9: m 1336 ‘VBA/UserForm1’
A10: 6917 ‘VBA/_VBA_PROJECT’
A11: 1391 ‘VBA/__SRP_0’
A12: 110 ‘VBA/__SRP_1’
A13: 292 ‘VBA/__SRP_2’
A14: 103 ‘VBA/__SRP_3’
A15: 790 ‘VBA/dir’

The .doc file contains some embedded macros to download Locky and infect the machine. In this case, the URL was:

  • hxxp://olvikt.freedomain.thehost.com[.]ua/admin/js/7623dh3f.exe

Malware details

The malware has some protections against researchers and sandbox systems:

20160310 Rivero Locky 2

Antidebug functions.

To fingerprint the environment, the author implemented some API calls to evade automatic systems:

20160310 Rivero Locky 3

API calls requested by Locky.

 

Malware behavior

Locky creates a copy of itself in the follow directory:

  • C:\Users\Admin\AppData\Local\Temp\sysC4E6.tmp

During the infection, Locky creates some registry keys:

20160310 Rivero Locky 4

Registry keys.

  • HKCU\Software\Locky\id: A unique ID assigned to the victim.
  • HKCU\Software\Locky\pubkey: RSA public key.
  • HKCU\Software\Locky\paytext: Ransom note text.
  • HKCU\Software\Locky\completed: Ransom note text.
  • HKCU\Control Panel\Desktop\Wallpaper (“%UserProfile%\Desktop\_Locky_recover_instructions.bmp”): Changing the wallpaper to show the ransom demand.

 

20160310 Rivero Locky 5

Locky wallpaper.

In a way similar to other ransomware families, Locky hosts additional ransom notes on various Tor domains. Because many users are unfamiliar with Tor, Locky helps its victims by providing instructions on how to use services such as tor2web, which makes it easier to access the hidden service.

On the infected machine we also find the .txt file with the ransom note:

20160310 Rivero Locky 6

Locky ransom note.

Locky searches for many file types to encrypt:

.asm, .c, .cpp, .h, .png, txt, .cs, .gif, .jpg, .rtf, .xml, .zip, .asc, .pdf, .rar, .bat, .mpeg, .qcow2, .vmdk .tar.bz2, .djvu, .jpeg, .tiff, .class, .java, .SQLITEDB, .SQLITE3, .lay6, .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .potx, .potm, .pptx, .pptm, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .dotm, .dotx, .docm, .docx, wallet.dat, etc.

Locky also eliminates any shadow copies:

20160310 Rivero Locky 7

Vssadmin command to delete shadow copies.

 

Locky infrastructure

After accessing the hidden Tor site, users see the following page:

20160310 Rivero Locky 8

Locky decryption page.

If we track the wallet, we get an insight into how many users have paid to recover their data:

20160310 Rivero Locky 9

Locky uses traditional control server infrastructure, and request a /main.php file:

20160310 Rivero Locky 10

POST requests.

20160310 Rivero Locky 11

Locky trying to communicate with its control server.

Locky also has domain generation algorithm (DGA) capabilities for the control server infrastructure. If we analyze the traffic, we can see requests to some DGA domains:

20160310 Rivero Locky 12

DNS requests to different control servers.

Every day, Locky tries to connect to different DGA domains around the world:

20160310 Rivero Locky 13

Locations of Locky DGA domains.

 

Connection with Dridex

During our analysis of some Locky campaigns, we noticed that they appear to share the same infrastructure as Dridex.

 

Indicators of compromise

A partial list of Locky hashes detected by McAfee Labs:

  • d4dc820457bbc557b14ec0e58358646afbba70f4d5cab2276cdac8ce631a3854
  • d159fe802f509b67d319ea916cc6a052035a0c0f4412406b6b78d7db4d4035fc
  • 5e945c1d27c9ad77a2b63ae10af46aee7d29a6a43605a9bfbf35cebbcff184d8
  • 40f62d6dfa7d2429c8e1085f1460907d82cc6a48399038c07bdc5b38792f75b3
  • bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
  • 0537fa38b88755f39df1cd774b907ec759dacab2388dc0109f4db9f0e9d191a0
  • 4725019fb0a4574d1ad42bfa481ba1992002fe60811829a89955b3e538611123
  • 85e6adb499916a6557b2beebcf44f0872908a2d2705058bfacc9d7bc4c5bc43e
  • e720f917cd8a02b0372b85068844e132c42ea2c97061b81d378b5a73f9344003
  • 17c3d74e3c0645edb4b5145335b342d2929c92dff856cca1a5e79fa5d935fec2
  • d4ff4b73d7e89f80d78239a349c0197022c9d9306e5b59fdb71894040bc36489
  • 48a84c3ecf57ffdb474f61edb43634c32663be2466e4c489ec11e029fc70c042
  • acee75cd346795ceb02fc30aa822d13c4132e64fd36b5244dd822199a5a0c0a7
  • 976059c030c256db4a22d0fcbf2372cc3320877025154b5efeb3f7a1a26b1774
  • 8fa81c2bce89adcb1cc246761775ebbf29cbc444be78c7a58a465f76f1cdf6c8
  • 2cbf3ac4f304fa711e23d6a8a762451b7b06550d56b7bd688d4c6d1bee9984db
  • 02b00f7615e1fd9091d947dad00dfe60528d9015b694374df2b5525ea6dd1301
  • 77d66d710acddbe66a4f88b9db8775466a35948bad8716c188490ae0aca9a2f9
  • 2a40da48c9dc3e20bc6e30c986306ceccbc2d8be55b355b7a73d95c1a54319a4
  • 8842974b86c6101a5bbb18dc16dea293e4eb7a9656dbee241ecce7a677d2cdfc
  • 4fd7543247c1f7f2fb5d1c7f99b52ad0a41fb07aa9f388c46a6c5920a848c19a
  • eb4d53a92e703d075787cebd97e06d1427d230f4872052a20f5d2f508fe1f663
  • 56fc23c1eb3c4ea5f9f7911d8bfa0af6df762eb6e22d002ddad562568606acc0
  • 3402902877ddfa71190745690048f6a6b77b9999083305b6fea52b0dfe03bec8
  • 68244d5204518ab8b7f3564577b2bcc98c8fe0ea0aee39aa5518ffb5cf2689dc
  • a588eb64872257a23a1171c3dd8b79cff048fac5b3c1dac538e6ec03658a72f5
  • 6a1c3a7498b3af751455d2e6b7fc45f0304c6946d59b389ec068686985b3e3d8
  • 74ae3c7bbc041639c52e298f1e0334c52ba8c1126eb0daf94fbb7bee40a831f9
  • c543841ad16edfcf1098dffb9d4f656da5ac0f54857a2ffb79a799b305682053
  • b7404bed5dbb05463e1cad915a31e2a59b5dc7fe36c5bb901196fdd072ee1591
  • 204068d89b32659c9872bae0197e56acddca26e20523e337991df0f46d608469
  • bbd7dcc8a064e73f1ef8f17feb7e7f8bc2f91bc90bbce03695e952c4c1acfa86
  • a7c67bd2a6e4c7902f70a4f44242bdd073aea34f6e0b29491de4ddeed8a879f0
  • 01002fef15f67941430c8a7e0c841583bf3eb67907e79310218e5ba3668e4997
  • 59f6b5e8b1829902c9b915c3c7a6f8842445e4f9508710d4bcacdb1f80fdc2ef
  • 177bb96ae04cac947092c28957121be9001d2a347141d22a14aa6474d099dd33
  • bd12b97e2c0e80c899ac3fc595e46f4b5938e1e38c345195a535d25e0dd2d565
  • 30587ec7becbff5e55f6effdd22075568d80eb4a06ce3104502d4d76004e16f3
  • 36ded79221d444903554d693f5d93a5acada2454240da45b9a5257229eb21143
  • fb607732ec2e3393634b2ccb8a028ad5b77ad0d01ef4a682bcc3c9e40e5bd186
  • a62ebda2177dcaa163f49df590824213e1dca317f4c5d607d0edc806f0bc598c
  • 210098efe6c332d372873e227f3d62a6f9630110746f775c4714a0d3805cfa09
  • d3654c1683a7596d3248aa8014e089162dd3c5f9075ee4791faa740f92f3068d
  • 1b6b9079a36d36d94e4da712e315ff8c29e12513b001c9ae2af23fdb6a0b30a5
  • 0a809215d4845bdc11b87b07a6c2a6acfc6ad837f6ce56abbde4cf7e03efc684
  • fc8e858023506da14dcdf7c581332bf961816cac3c342660f3a75949a366fa7b
  • 5236d1e0f508409f8efe60cd4ccef67f4ce57fa40184849c16a1918f63d58573
  • 09f3adee80045971982f1183607c4c8315c6e375a2e66b3ea8aa40d685d09cb6
  • 214c0232e8543c80c7c6010319524231beab9d8689b8295f7e13296de886c15c
  • e28753324b22939b239ca234cdc25daa16ed318d98b6430ea941d8bbbf418cad
  • 3b2507071a8ba09e223ffbfa8315e6d3537be2042d54166f5a698049e7a6a2b1
  • 7ce2f7f147b442079a978dca43de24105b2c3cde254dc76c7d6be165d8cf8d7e
  • fc4d893ae0f496f13581abc708ef045d067fa7af5a06a9a1c3631f8c8b74d0df
  • ee6abe4a9530b78e997d9c28394356216778eaf2d46aa3503999e7d6bfbefe90
  • b1465aa094decb4d5749bdf5ed5df8da98cecea900ec719c45c2e2d630062934
  • 5cacccb46693962c67a3aef0df9a538201a44d309993915057e98b00b59cf7c3
  • a9bba5afdb85f0b65493356ddb0b3bb29a3a9b311fc4435f04610ff05eba508e
  • c866dcfa95c50443ed5e0b4d2c0b63c1443ad330cb7d384370a244c6f58ce8a5
  • 240b43dfc2712d7d40312e760bcca5f9c7c259bbfa115c866127027346cb2fa3
  • 3eb1e97e1bd96b919170c0439307a326aa28acc84b1f644e81e17d24794b9b57
  • 7a0602fffb1565eabb6a34016dc8692a08209b152aa490935fdcb4ac18ecddb4

About the Author

McAfee

McAfee is the device-to-cloud cybersecurity company. Inspired by the power of working together, McAfee creates business and consumer solutions that make our world a safer place. Take a look at our latest blogs.

Read more posts from McAfee

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to McAfee Securing Tomorrow Blogs