The Locky ransomware was first spotted in the wild in February 2016. Locky came into the limelight when it hit the Hollywood Hospital last month causing the hospital to pay Bitcoins worth $17,000 in ransom. Locky is known to arrive via spam e-mails containing malicious attachments.
Zscaler has blocked over 75 unique & new payloads from this ransomware family, targeting our customers, in the last month as shown below:
|Locky ransomware unique payloads blocked|
The Locky payload delivery mechanism
A sample malicious document from a Locky spam campaign that contains VBA macro designed to download the Locky payload from a predetermined remote location can be seen below:
We have seen a large uptick in the delivery of Locky payloads during the month of March 2016.
|Uptick in Locky payloads getting blocked|
We looked at one of the newer Locky variant that was seen in the wild recently. The analyzed Locky payload is a 32-bit Microsoft Visual C++ compiled Windows executable packed using custom packer routine.
Upon execution, the malware first checks for the user & system default language preferences of the infected system and terminates itself if the language is Russian. Locky creates a copy of itself as "%TEMP%/svchost.exe" and an auto start registry key entry to ensure persistence upon system reboot. In order to mark a successful infection on the system, Locky creates the following registry keys with value name "pubkey" and "paytext" as seen below:
|Locky registry key|
"pubkey" is used to store the RSA key used for encryption
"paytext" is used to store the payment related information
Upon successful infection, Locky will encrypt the following file types on the victim machine:
|File types encrypted|
These encrypted files are renamed to unique ID generated for the victim's machine followed by unique file ID and a ".locky" extension. The ransom note is displayed in a bitmap image that is also set as a wallpaper for the infected user's desktop as seen below:
As seen in case of other crypto ransomware families, victim's files are held as hostage for a ransom. The ransom payment instructions for receiving the private RSA key required to decrypt the user files is readily available through the URLs mentioned in the ransom note.
Command & Control communication
The Locky payload contains a list of hardcoded Command & Control (C&C) server IP addresses that appear in plain text in the unpacked binary as seen below:
|Hardcoded C&C IPs|
In addition, Locky ransomware also leverages a custom Domain Generation Algorithm (DGA) for hiding its C&C server location. The DGA algorithm used for generating possible C&C domains in the payload that we analyzed can be seen below:
|Domain Generation Algorithm|
Locky communicates with the C&C server using custom encryption and the following HTTP request format:
POST http:// [hardcoded IP or DGA domain]/main.php
|Sample encrypted C&C communication|
The initial C&C communication typically consists of three HTTP POST requests.
Request #1: Register the infected system's unique ID and request RSA key to be used for encrypting user files. The figure below shows the content of this POST request in plain text:
|C&C request #1|
The server responds back with a RSA key that is used by Locky to encrypt all the user's files on the victim machine.
Request #2: Request the content of ransom note to be displayed on the infected system asking for payment. Below is the content of this POST request as well as the response from the C&C server in decoded form:
|C&C request #2 & response|
Request #3: The final request sends the statistics about successfully encrypted files as seen below:
|C&C request #3|
Locky is the latest addition to Ransomware, one of the most active & lucrative malware strains seen in past three years. This new ransomware family follows the same model of using asymmetric (public key) encryption to lock user documents and demand ransom for the decryption key. The delivery vector has been primarily spammed e-mail attachments that are responsible for downloading the Locky payload. We also noticed an interesting overlap in the recent campaigns where same URLs were being used to deliver both Dridex & Locky payloads.
Zscaler’s ThreatLabZ has confirmed coverage for the initial downloader and Locky payloads, ensuring protection for organizations using Zscaler’s Internet security platform.
Research by: Deepen Desai, Dhanalakshmi PK