Locky is a ransomware family that encrypts victims’ files and demands money to decrypt the files. It has infected many computers in a short time due to a huge spam campaign.
The downloaded Locky ransomware is compressed and uses a PLib-depack function for decompression. It employs the Wow64DisableWow64FsRedirection function to disable file system redirection for the calling thread.
On execution, the malware checks whether the operating system is Russian:
If the system operating system is Russian, the malware deletes itself. Otherwise it starts the infection of the victim’s machine by adding the Locky footprint in HKCU\Software\Locky:
Locky calls the GetVolumeNameForVolumeMountPoint function and retrieves a volume GUID path for the volume that is associated with the specified volume mount point. From the retrieved data, using Microsoft’s cryptographic function API, the malware calculates the MD5 hash:
Later, Locky retrieves system information such as OS name, service pack, OS, language, and unique ID.
Control server communications
The collected system information is encrypted with the following encryption code:
After the system information is encrypted, it is posted to attacker’s control server.
The control servers are hardcoded in this sample:
The replies from the control server are decrypted by the malware with the following decryption code:
After successful infection the malware stores user ID, ransom note and RSA public key, and completed value name under the Locky registry key:
Encrypted file types
The malware searches and encrypts the victim’s files with the following file extensions and renames them with .locky.
After file encryption, the malware changes the desktop background to the recovery-instruction image, which clearly states the procedure to get the private key and decrypt the files.
On following the link to get private key, the victim lands on the payment procedure page, and can buy the Locky decryptor:
Update March 8: Locky is not the ransomware associated with the recent well-publicized attack on a Southern California hospital.
About the Author
Categories: McAfee Labs