Ransomware is a cash-in machine for criminals and we have just spotted another one come alive this week. Since 16th february, AnubisNetworks Labs team is tracking Locky, a malware that given the high volume of its distribution campaigns will rival with the big ones such as CryptoWall.
Locky ransom message on an infected system
Locky is delivered mostly via email distribution campaigns that have too much in common with another well known threat: Dridex. Actually, the email templates used are almost the same that Bartallex uses to drop Dridex, as you can see here and here.
The email has a Microsoft Office document attached that, when opened and if the user enables macros to run, will download and install the Locky payload.
Sample of email message sent to delivery Locky
Execution and C2 Communication
After installation the malware will perform the following actions:
- It will delete Volume Shadow Copies to prevent any system backup stored on the infected computer to be restored.
- Contacts the command and control (C2) systems to check in and request a new public/private key pair to use for encryption.
- C2 generates the public/private key pair on server side and responds to the infected system with the public key.
- The encryption process starts, encrypting files with the extensions listed below with the generated public key
- When the encryption process finishes, the malware asks for the ransom text to be displayed to the victim, dropping the file _Locky_recover_instructions.txt to every folder that has encrypted files and a new wallpaper _Locky_recover_instructions.bmp.\\
The malware communicates with its command and control using hardcoded IP addresses and a DGA (domain generation algorithm). Thanks to Jørgen at Norwegian HelseCERT, we provide some generated domains in the IOCs section of this post.
Locky will look for files to encrypt in both local file system as well network shares. The following file types are encrypted with RSA-2048 and AES-128:
The malware also encrypts the filename of the file, and appends the .locky extension to them.
Aspect of the user Pictures Library after the encryption process
The Ransom Page
But, not all is bad news! Locky is “friendly” to its victims and doesn’t put extra pressure on this awful process - unlike other ransomwares, there is no time limit to pay the ransom, at least it’s not advertised at this moment. Normally, ransomware will double the ransom amount after 48h or so.
After paying 0.5 BTC, it’s possible to download the Locky Decrypter.
The original payment site
The second version of the payment site
We have been collecting Locky telemetry since it was seen on the wild. The following graph shows unique IP addresses infected with Locky that contacted our Cyberfeed platform in a 48 hour time window, collected from 2016-02-16 17:00 UTC to 2016-02-18 17:00 UTC.
The cumulative sum of infected systems is above +4500. These are actual infections where the encryption process already took place.
The real number of infected systems is slightly higher, since those infections are tracked based on their public IP addresses and it’s common on corporate networks that all the infected systems reach the Internet with the same IP address.
Graph of hits on our sinkholes for a 48h period
You can see volume peaks that represent newly infected systems after massive distribution campaigns.
Here you can see the geographic dispersion of the infections:
Heatmap of Locky infections
Infections by country - Top 40:
4500 infected systems could appear a small number given the observed email distribution campaigns (see here), but at 0.5 BTC per infection you can do the math and see that criminals are cashing big money with this.
Well, we will do the math for you: 0.5 BTC at the current conversion rate translates to EUR €188 EUR (or USD $210), so 4500 infected systems are a potential gain of almost EUR €850,000 (or USD $943,000) in only two days of operation.
How to Protect
What you should do to not enter the ransom party?
You can start by hunting for infected machines in your network using the Indicators of Compromise (IOCs) provided below, that includes file artifacts left by the malware, C2 IP addresses and domains generated by the Locky DGA. These could help you to produce a decent blocklist for the perimeter that will prevent new infections to reach the Locky C2 and start the encryption process.
But as with every ransomware threat, preparation and defense in-depth works better:
- Don’t allow macros to be executed on Microsoft Office applications;
- Application whitelisting;
- User awareness;
- Antivirus with updated signatures.
Indicators of Compromise
*.locky (appended extension to encrypted files)
vssadmin.exe Delete Shadows /All /Quiet
C2 - URL payload download
C2 - IP addresses
C2 - Tor payment pages (also tor2web variants)
C2 - examples of the DGA generated domains
SHA256 - Office attachments samples
SHA256 - PE EXE Locky payload samples
19th February 2016
If you want to learn more about Cyberfeed and how it can support your threat intelligence needs, we invite you to download the report “Cyberfeed - Delivering Real Security in Real-Time against Real Threats” available here.
Would you like a Cyberfeed demo? Register today!