Locky ransomware was spread using spam email campaigns and exploit kits. It was the one in early 2016 that hit numerous industries and hospitals in the U.S. It was believed that one hospital paid a ransom of ~$17,000 to get files back from their encrypted state. It evolved over time and came up with multiple updated versions to evade detection by any security products available on the market. Locky vanished for some time and again came back in second half of 2017, via Necurs Botnet spam campaign.
In an email spam campaign, the Locky infection vector arrived in many forms:
- Microsoft Office (.doc, .docx, .xls, xlsx and so on.) with VBA macro
- JavaScript (.js), JavaScript Encoded (.jse)
- VBScript (.vbs), PowerShell Script (.ps1)
- Windows script file (.wsf)
- Compiled HTML (.chm), HTML application (.hta)
- Link shortcut (.lnk)
- Windows executable (.exe)
- Windows Dynamic Link Library (.dll)
- Flash exploits (.swf) and exploit kits
The initial version injected itself by injecting into windows explorer process but it was easily identified by some registry keys .Here are some registry keys created by initial version of Locky:
HKCU/SOFTWARE/LOCKY
- Id
- pubkey
- paytext
- completed
Each registry key was used for a different purpose. "ID" key was used to identify a victim infected by Locky and it is a unique number. The "pubkey" is used to store the RSA public key used by Locky in the encryption process. "paytext" registry key stored the "Ransom Note". "completed" registry key was used to identify if the process of encrypting files is over or not .If not ,Locky will start encrypting the files on the system. Locky infection was easily identified on the system because the above mentioned registry keys. Later on Locky created registry keys that had some random names but used for the same purpose. This is it's detection easily.
Locky never infects files or folders and subfolders in the following list (case insensitive match used):
- Windows
- Boot
- "System Volume Information”,
- ”$Recycle.Bin"
- "Thumbs.db”,
- "Temp"
- "Program Files"
- "Program Files (x86)"
- "AppData"
- "Application Data”
- "Winnt"
- "Tmp"
- _Locky_recover_instructions.txt"
- "_Locky_recover_instructions.bmp"
The initial versions of Locky added the file extension .locky. Later updated versions came up with different file extensions such as .lukitas, asasin, ykcol, diablo6, zepto, .odin, .shit, .thor, .aesir, osiris, .loptr and .zzzzz.
The encryption algorithm was strong in Locky, RSA 2018 and AES 128, where the key generation was on the server side, which made it harder to decrypt the files without paying a ransom.
It evolved with the Domain Generation Algorithm (DGA) explained in Chapter 1, Malware from Fun to Profit ), where the domain name was generated as a random length from 5 to 15 characters, where the rest of the CnC information looks like the following string:
rupweuinytpmusfrdeitbeuknltf/[main/].php
If you observe the above string ,it is composed of top level domain names (TLD). The string can be broken into "ru","pw","eu","in","yt" and so on. "ru" is used to represent Russian domains,"pw" for Palau domains and "in" for Indian ones. Locky uses permutation and combination of these TLD's to generate a domain name. We already know that the motive of DGA is to evade network security software.
Some of its later versions came with an interesting sandbox evasion technique where the Locky executable binary or dynamic-link library required a command-line parameter to run successfully.
It used that parameter to generate a key to decrypt the actual Locky infection code, which sometimes helped it to evade detection.
One of the interesting facts was that it devastated the unprotected MongoDB by encrypting its dependent files and databases.
Post-infection, it drops the following files to show warning message and ransom payment information:
- _Locky_reover_instructions.bmp
- _Locky_recover_instructions.txt
Locky memory had the following strings:
- _Locky_recover_instructions.bmp
- _Locky_recover_instructions.txt
- help_instructions.html
- help_instructions.txt
- .locky
Administrators and researchers could create malware detection rules using these strings.
When it came to payment, it demanded ~0.5 Bitcoin, which was equivalent to ~$400-500, where the value of Bitcoin was around $900-1000, but in 2017 some variants demanded $900, ransom also went up to $1000.
Like its predecessors, it also cleared restore points and shadow volume copies from the infected machine to prevent the recovery process.