The Locky-ness Monster

Details on Locky ransomware sightings

Bryan Pasquale

March 22, 2016 - Posted by Bryan Pasquale to Security Insight

Locky-ness ransomware

While the title of this post may be a little wacky wordplay, the threat I’m about to discuss is no joke. Locky ransomware has recently hit the scenes of the security world and can be incredibly damaging and costly.

What’s the risk?

Not only does Locky encrypt every commonly used file type on your workstation, it also attacks all networked drives, even if they’re unmapped. In addition to encrypting everything, Locky also renames all of the files to unique titles with the “.locky” extension. Like the CryptoWall ransomware that has been seen in the last year, Locky changes the names of the encrypted files to make it more difficult to recover the correct data. The malware also deletes all existing Volume Shadow Copy files on your machine to prevent the victim from rolling back to previous versions of his files. 

How does it get on my system?

Locky is typically delivered through spam e-mails that have familiar subjects and messages. The e-mail may say, “Please see attached invoice,” or something similar. The attachment is a Microsoft Word document that has instructions to enable macros. If the unsuspecting victim follows the instructions, a script will download the Locky payload and execute it. Once it’s there, the program runs in the %Temp% folder and assigns a unique 16 character hexadecimal name to the victim for reference on the remote server. The program then scans the computer for all files and drives that can be encrypted.

What encryption method is used and which file extensions are affected?

Locky uses the AES encryption algorithm to encrypt every file with the following extension:

.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat

One caveat that has been noticed, a chink in the armor if you will, is that Locky does not encrypt any files where the full path or file name contains any of the following strings:

tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, Windows

Much like any crypto-based ransomware, Locky’s main purpose is to coerce the victim into paying the ransom to restore their data. The program helpfully places instructions in each encrypted folder and changes the wallpaper on your computer to display instructions (how very thoughtful).

Who is responsible for this program?

Palo Alto Networks researchers believe the folks responsible for the Dridex banking Trojan took a break from their usual malicious activity to create this new ransomware, as stated in a recent blog post:

“…there is a link between the Dridex botnet affiliate 220 and Locky due to similar styles of distribution, overlapping file names, and an absence of campaigns from this particularly aggressive affiliate coinciding with the initial emergence of Locky.”

Research shows that the weaponized Word file uses intermediary malware called the Bartallex downloader. This same download program has been associated with Dridex in the past.

How can we prevent an outbreak and what happens if we contract the infection?

End-user training and awareness is always key in preventing malware from being installed. The makers of this ransomware are crafty and know how to disguise weaponized files to look like innocent attachments.

Train users to reach out by telephone to the person sending the attachment if they are not 100% sure about its content. Additionally, since Locky’s encryption has proven to be unbreakable, perform regularly scheduled backups of all crucial drives and have the discs/tapes stored offsite.

Solutionary does not encourage paying the actors in any event of ransomware. With due diligence and good security habits, a Locky infection can be avoided. Make sure to check out Solutionary ransomware blogs, for more tips and information on ransomware.


Solutionary ActiveGuard® Security and Compliance Platform has rules in place to detect Locky Ransomware. Contact Solutionary for more information or to speak with a sales representative.

References:

https://www.solutionary.com/resource-center/blog/2015/06/cryptowalls-of-jericho-3/
https://www.solutionary.com/resource-center/blog/2015/02/ransomware/ http://researchcenter.paloaltonetworks.com/2016/02/locky-new-ransomware-mimics-dridex-style-distribution/

Read more on Solutionary Minds about:

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)

LATEST TWEETS