Locky is a new ransomware which encrypts the victim’s files and then demands a ransom paid in Bitcoins to decrypt these files. The main infection method is email messages with an attached Word document that contains a malicious macro. The macro runs a script which downloads the malware’s executable file, installs it on the victim’s computer, scans for files on the system, and encrypts them.

Why is Locky special?

Vast Distribution. In the past two weeks, Check Point analysts have noticed upward of 100,000 logs attempting to infect customers in more than 100 countries around the globe. Combined with Locky’s network encryption characteristic, the results are potentially devastating.

Storyline

Locky was first reported on February 16, 2016, when, according to Check Point analysts, it appeared in a burst of over 50,000 attempts in a single day.

As of now, Locky is still pushed to unsuspecting users via email and its infrastructure is maintained.

The attack often begins with an email containing an invoice attachment. The sender presents himself as an employee of a known company.

In the following example, the message is allegedly from Praxair Inc.

[Original email, which was sent to one of Check Point’s employees]

Most of Locky’s victims are in the United States. The next hardest hit countries are Canada and France.

[Distribution of Locky’s victims by country]

Several Check Point employees received similar email messages.

Check Point SandBlast detected and purified the attachment:

The attachment contains a macro which must be manually enabled:

Enabling the macro triggers the download of the malicious payload identified as Locky Ransomware.

[Download traffic captured with Wireshark]

Locky Downloader Known Variants

Currently, we have classified more than ten different Locky downloader variants.

Each variant uses a different obfuscation method and some use different file types: .doc, .docm, .xls and also .js.

Email examples of the different variants:

Technical Analysis

Let’s sort out what Locky does and how.

The first step occurs when the victim receives an email containing the suspicious attachment (the downloader). If the victim opens the attachment, it downloads the payload (Locky) from a remote server. Locky then contacts its C2 servers to exchange encryption keys. Finally, Locky encrypts certain hard-coded file types and displays a classic ransom note.

Downloaders:

Compared to previous ransomware campaigns, the obfuscation used in Locky’s downloaders is not very complex, to say the least.

Some samples had a single array containing the download URL string as a list of numeric values (as we depict later in this post), while others used simple JavaScript character escaping as an obfuscation method.

We analyzed our samples by file extension:

[Distribution of downloaders’ file extension]

Let’s jump right into a specific sample of Locky’s downloader
(MD5: 45B849E00131B4434D488295CB48B36C).

Opening the VBA editor (ALT+F11 in Word) reveals an obfuscated macro code:

This macro uses the “Microsoft’s XMLHTTP” object to download the payload from a remote server and then executes it with the “WScript.Shell object”.

The “MsgBox” function (1) is added to the macro to print “PubDoStop”, the de-obfuscated “KogdaGe_7” array.

[De-obfuscated download URL]

To de-obfuscate the “KogdaGe_7” array manually, we simply need to reduce each element in the array by 142 (which is 99+43) and then display its corresponding ASCII character (2).

Example:

• 1^st character: chr(246-99-43) = chr(104) = ‘h’
• 2^nd character: chr(258-99-43) = chr(116) = ‘t’

And so on…

Executable Payload Download URLs:

We found many URL patterns that host the payload. The hosts are mostly compromised Russian websites; some no longer exist.

Among the patterns we found are:

• hxxp://almazuelas[.]es/1/1.exe
• hxxp://lasmak[.]pl/2/2.exe
• …
• hxxp://luigicalabrese[.]it/7/7.exe

• hxxp://173.214.183[.]81/tomorrowhope/09u8h76f/65fg67n
  hxxp://iynus[.]net/test/09u8h76f/65fg67n

• hxxp://5.101.152[.]77/system/logs/56y4g45gh45h
  hxxp://tcpos.com[.]vn/system/logs/56y4g45gh45h

• hxxp://accesorios.nuestroservidor[.]es/system/logs/7623dh3f.exe?.7055475
  hxxp://blitz174[.]ru/system/smsgate/7623dh3f.exe?.7055475

• hxxp://acilkiyafetgulertekstil[.]com/system/logs/exe
  hxxp://alkofuror[.]com/system/engine/7647gd7b43f43.exe

• hxxp://hazentrumsuedperlach[.]de/1/1_5a0befc0.exe
• hxxp://afive[.]net/3/3_7223d94c.exe

• hxxp://demo2.master-pro[.]biz/plugins/ratings/87h754
  hxxp://firstcopymall[.]com/system/logs/87h754 *

* This URL was found in an obfuscated .JS downloader. The perpetrators probably got a little sloppy as we can see the de-obfuscated code (note the double “hxxp://” ):

C2:

At least one of the C2 servers must be active for Locky to encrypt the victim’s files. This important fact encourages us to find as many C2 servers as possible to protect our customers.

We have encountered hundreds of C2 servers whose Top Level Domain (TLD) distribution can be seen in the following figure. The Domain Generation Algorithm (DGA) Locky distributes the domains quite evenly between TLDs, with 6% – 8% in each TLD. The “Other” TLDs were used by Locky payloads that did not use the DGA and instead had a list of hard-coded C2 servers.

[Distribution of C2 servers in TLDs]

Locky C2 Network Traffic Encryption

All HTTP requests are POST requests, sent to http://<C2Server>/main.php.

Locky uses a dedicated pair of different crypto algorithms: one for requests made to the server and one to decrypt the responses.

Both algorithms use a hard-coded 32-bit key which is considered very weak by today’s standards.

In the following figure we depict the algorithms EncryptRequest for requests and DecryptResponse for responses.

[Locky’s network traffic crypto algorithms]

Locky profiles and collects information from the victim’s machine. Among the collected data are:

• Whether the targeted machine is part of a corporate network.
• Server / workstation.
• OS UI language
• OS version.
• Statistics on each encrypted drive: number of encrypted files, failed file encryptions, and amount of encrypted raw data.

Important Notes:

• Locky can only encrypt your files if its C2 server is active.
• Shadow Copies can’t be used as a backup as those are deleted by Locky.
• Any mounted drive will be encrypted, including any network shares or removable media.

Conclusions

• Locky doesn’t bring anything new to the ransomware scene but it is effective: from the enormous amount of spam emails it generates, to encrypting network drives.

• Think twice before you enable a macro as this can literally encrypt all of your corporate shared drives.

• This campaign is far from over. As we write this post, we see new downloaders, payloads and DGA seeds. Stay tuned!

Check Point Protections

• Check Point SandBlast blocks malicious Locky documents based on behavior. It has blocked thousands of unique Locky files since Feb 16th.
• Check Point Threat Extraction blocks suspicious attachments.
• Check Point Threat Cloud generates all known C&C domains and blocks them beforehand.
• Check Point IPS blade includes protections for “Suspicious Executable Mail Attachment” and “Microsoft Office Mail Attachment Containing Malicious Downloader” Locky downloader variants.
• Check Point Anti-Virus blade includes more than 200 relevant Locky indicators for known malicious domains and files related to Locky.
• Check Point Anti-Bot network signature (Trojan-Ransom.Win32.Locky.A) is a post-infection signature which blocks communication with Locky C2 servers.
• Check Point Anti Bot blade includes over 100 reputation signatures for known Locky C2 servers (DGA-based and others).