Evolution And History Of Locky Ransomware

Ransomware

A new variation of ransomware was detected on February 16, 2016, by Symantec, which is being addressed as Locky. This ransomware is spreading in a swift manner, and this malware is being aggressively pushed by the attackers through compromised websites and massive spam campaigns. This ransomware encodes the data files on computers of the victims with the “.locky” extension. The ransom being demanded varies from 0.5-1 Bitcoins.

Spam email campaigns are being utilised to infect the files. Disguised invoices are being spread on the internet by the developers. These emails consist of Word documents that contain a malicious macro attachment. The malicious attachment has been figured out by Symantec as W97M.Downloader. Locky gets installed on the computer of the victims when this they run the malicious macro.

Spam campaigns of five different kinds were used to spread Locky on February 2016 as indicated by Symantec telemetry. The spam mails had “ATTN: Invoice J-[RANDOM NUMBERS]” written in the subject line. The rest had “tracking documents” written in the subject line. Locky is being spread on a considerable scale with the spam campaigns. 5 million emails were blocked by Symantec anti-spam by February 17th.

Locky Bears Similarities To Dridex

The spam campaigns being utilised to spread Locky is quite identical to the ways in which financial Trojan “Dridex” was spread. The scale of the campaign, the use of mails disguised as financial documents and the attachment of macros that are malicious in word files are forcing the security experts to believe that Locky is being spread by Dridex group.   

The similarities in the two malware are not just limited to the spam campaigns. Same obfuscation techniques are employed by the malicious macros spread by both malware. Naming conventions that are not standard are employed by both. A file “ladybi.exe” is created on the victim’s computer is created by both Dridex and the developer behind Locky.

There isn’t any convincing evidence available currently that can prove that the same developer is behind the attacks. There as well exists a considerable difference between the two. The files of Locky that are downloaded are diverse from the variants of Dridex. Locky is not encoded however; Dridex comes as .jpg file that has been encoded. Symantec experts have observed that a Neutrino exploit kit is being employed to distribute Locky. Dridex has never distributed malicious links in this manner.

Dangerous Threats

Locky makes use of strong encryption in a similar manner to other variants of ransomware. This makes the victim’s data files inaccessible if they have not backed up their files. Locky is being considered as a danger by Symantec as the attackers seem to be well-resourced to have been thriving in the distribution of the ransomware in a short span of time widely. This poses the businesses and consumers at a high risk that fail to get their security software updated regularly.

Locky’s Impact On The Rise

The security experts believe that the impact being created this ransomware is growing with each passing day. From a few weeks, the activities of both TeslaCrypt and Locky are on the peak. During the month of January 2016, the rate of ransomware infections varied from 10,000 to 15,000 on per week basis. During the first phase of February 2016, the rate of ransomware infections spiralled to 20,000 per week.

Spread Of Locky

The developers of the ransomware are spreading the malicious codes through major spam campaigns. The recent activity noted is the distribution of spam campaigns disguised to be coming from the network of the recipient. This was noted on 11th of March 2016. “Scanned Image” has been the subject line. The sender address bears the format [RANDOM NUMBER]@[VICTIM DOMAIN].

Locky makes use of rich features which comprises of custom encrypted communication, domain generation algorithm, RSA-2048+AES-128 file encryption, and BitCoin/TOR payment. This ransomware is skilled at encoding files of 160 file kinds which include source codes, databases, and disks. Locky is being constantly monitored by the cyber security experts. They have noticed another Locky malware version being spread with tweaks in the features and improvements in the code. The developers of this ransomware have made an addition to the domain generation algorithm that is a hard-coded seed. This permits deactivation of Locky on the PCs of Russia.     

Change In Filename With Encryption Of Data Files

Whenever the malicious macros are run on the device of the victim, Locky assigns a 16 hexadecimal unique number to each victim which resembles F67091F1D24A922B. Unmapped network shares and local drives are then scanned by this ransomware to look for files for encryption. AES encryption algorithm is utilised by Locky during file encoding. The file encrypted by Locky is renamed in the format [unique_id][identifier].locky.

Even when the files are not linked to local drives, Locky encodes the files present on network shares. This urges the system administrators to lock all the network shares that are open and limit the permissions. Locky removes the shadow volume copies from the computer of the victims to prevent the restoration of encoded files.  

A ransom note is left in a folder where the file has been encrypted on the desktop of the personal computer of the victim. The ransom notes are named _Locky_recover_instructions.txt. This covers everything that the victim needs to know to access the link to the page from where the decoding of the data files can be done.  

The Decrypter Page

The ransom notes consist of a link to the page from where decryption can be done. The page provides information about the bitcoin payment that needs to be done by the victim. Everything pertaining to how the bitcoins must be purchased and where they must be sent is also furnished on the Decrypter page. Once the payment is done, the victims are offered a decrypter which can be utilised to decrypt their data files.

Future Of Locky

Locky is currently proving out to be a leader in the sphere of malware. Usage of rich features which includes massive email campaigns, generic PE packers, time-based DGA system, various scripting languages, server-side encryption for the generation of key and BitCoin/Tor payment, this ransomware has instilled fear amongst the experts.

The developers have the potential to improvise the malware in future. They reacted spontaneously when the antivirus industry tried to block the ransomware by making modifications to the DGA algorithm. They patched up the minor bugs that existed in the first version. These things point out that Locky would prove out to be a tough ransomware to crack for the security experts.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

David Balaban

David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, David has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.