Analysis on Locky, a new ransomware passed by email

Source: Internet
Author: User
Tags locky ransomware

Analysis on Locky, a new ransomware passed by email


Locky is a new type of ransomware spread through spam, which features similar to Dridex Trojans.
Locky can bypass anti-spam filters (except for other items) and use social engineering techniques to trick users into opening Microsoft Office attachments to emails. Once running, Locky uses RSA-2048 and AES-1024 encryption algorithms to encrypt a large number of files and then asks the victim to pay a ransom to recover his own files.

Pass Locky ransomware through spam
We use oledump to extract macros:
A: word/vbaProject. bin
A1: 533 'project'
A2: 95 'projectwm'
A3: 97 'userform1/\ x01CompObj'
A4: 290 'userform1/\ x03VBFrame'
A5: 131 'userform1/F'
A6: 180 'userform1/o'
A7: M 34196 'vba/lele1'
A8: M 1537 'vba/thisdocument'
A9: m 1336 'vba/UserForm1'
A10: 6917 'vba/_ VBA_PROJECT'
A11: 1391 'vba/_ SRP_0'
A12: 110 'vba/_ SRP_1'
A13: 292 'vba/_ SRP_2'
A14: 103 'vba/_ SRP_3'
A15: 790 'vba/dir'
The. doc file contains embedded macros. Download Locky and infect the host. In this example, the URL is:
Hxxp: // olvikt.freedomain.thehost.com [.] ua/admin/js/7623dh3f.exe
0 × 01 malware details
The malware also provides anti-analysis and anti-Sandbox System protection measures:

Antidebug Function
To collect fingerprints of the system environment, the malware author avoids automated systems by enabling some API functions:

Locky calls API functions
0 × 02 malware Behavior
Locky creates a copy in the following directory:
C: \ Users \ Admin \ AppData \ Local \ Temp \ sysC4E6. tmp
During Infection, Locky creates some registry values:

Registry Value
HKCU \ Software \ Locky \ id: A unique ID assigned to the victim.
HKCU \ Software \ Locky \ pubkey: RSA public key.
HKCU \ Software \ Locky \ paytext: Ransom note text.
HKCU \ Software \ Locky \ completed: Ransom note text.
HKCU \ Control Panel \ Desktop \ Wallpaper
("% UserProfile % \ Desktop \ _Locky_recover_instructions.bmp"): Modify the Desktop wallpaper information to display the ransom:

Locky Wallpaper
Similar to other ransomware, Locky adds text information to hosts with different Tor domain names. Because many users are not familiar with Trojan Files, Locky provides services such as tor2web to help victims access the hidden server more easily.
In the infected environment, we found the TXT file of the ransomware:

Locky ransomware notes
Locky searches for multiple file types and encrypts them:
.Asm,.c,.cpp,.h, .png, txt ,. cs ,. gif ,. jpg ,. rtf ,. xml ,. zip ,. asc ,. pdf ,. rar ,. bat ,. mpeg ,. qcow2 ,. vmdk .tar.bz2 ,. djvu ,. jpeg ,. tiff ,. class ,. java ,. SQLITEDB ,. SQLITE3 ,. lay6 ,. ms11 ,. sldm ,. sldx ,. psms ,. ppsx ,. ppam ,. docb ,. potx ,. potm ,. pptx ,. pptm ,. xltx ,. xltm ,. xlsx ,. xlsm ,. xlsb ,. dotm ,. dotx ,. docm ,. docx, wallet. dat, and so on.
Locky:

Call the VSSADMIN command to delete a copy.
0 × 03 basic Locky Structure
After accessing the hidden Tor website, you will see the following page:

Locky decryption page
If we continue to track the data, we can learn more about the number of users who use payment methods to restore their data:

Locky uses the traditional server infrastructure control and requests the/main. php file:

POST request


Locky tries to communicate with its control server
Locky also has the ability to control the server's domain generation algorithm (DGA. If we analyze the traffic, we can see some request DGA domains:

DNS requests to different control servers
Every day, Locky tries to connect to different DGA domains around the world

0 × 04 contact with Dridex
When we analyzed Locky activities, we found that they and Dridex seem to share some of the same infrastructure. You can read at McAfee Labs

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.