Following Check Point’s recent discovery of a new communication scheme implemented by the Locky ransomware, our research teams decided to take a closer look at the inner workings of this new variant and map any new features it introduces.
When Locky first appeared, we thoroughly analyzed its logic, like many other industry researchers. Our analysis showed that while not very sophisticated, Locky is a very efficient malware with a solid functionality and encryption algorithms. Judging by the amount of victim reports and detections generated by Locky in the past month alone, it is safe to say our observation was indeed correct.
Locky’s major drawback is not in its code, but rather in the quick and effective response by the security industry. Many successful security detections, on almost any possible security platform, caused the actors behind Locky to miss out on potential victims, as the malware was blocked from execution or even blocked altogether by internet gateways, not reaching the victim’s computer at all. The changes we observed in this new Locky variant clearly show the Locky creators are very much aware of this fact, and therefore increased their efforts to evade security controls to gain a higher infection rate.
Unlike previous Locky variants, which were spread mainly via email and documents containing malicious macros, this new variant is spread mainly through the Nuclear exploit kit, making the infection process more efficient while bypassing any email or document security inspections. Using an Exploit Kit for infection makes it much easier to infect victims with Locky, since the malware is delivered to the system using known browser exploits and does not require any user interaction at all.
Configuration Block Obfuscation
The previous versions of Locky contained an embedded configuration block. This configuration block contains information about the current sample as well as a list of static C&C server addresses.
Prior to execution of any of its original logic, the new Locky variant attempts to place a shadow copy of itself in a newly allocated memory region. It then passes execution to this region by pivoting the process’s stack while deleting the code from the originally allocated memory pages. This technique is probably used to try and avoid common sandboxes, memory detections, or other naive dynamic analysis methods.
Random Registry Keys
In its previous version, Locky saved its persistent configuration data, including the unique computer ID, public-key, and payment text in the fixed registry key HKCU\Software\Locky. This made it easy to identify Locky with dynamic execution methods by simply looking for the presence of this registry key.
The new Locky variant, however, chooses a random registry key and values (per-host), making it harder to anticipate the exact registry key and values used.
As detailed in our previous blog post, several changes were made in the new variant’s HTTP communication. These changes reside mostly in the addition of several new HTTP headers, as well as in the change of the main C&C URI. Additionally, as opposed to previous variants, Locky first attempts to use the default system Internet Explorer User-Agent. If Locky fails to retrieve the default user agent value, a hard-coded user agent is used instead. The value of the hardcoded user-agent is: “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)”
The DGA algorithm is the main pillar of Locky’s evasive communication methods. It is responsible for the daily domain generation process, which renders C&C detection almost useless.
The previous Locky variant introduced several changes in its DGA algorithm within its relatively short lifetime. These changes were made either by introducing slight bit-wise changes to the algorithm or by changing the random seed value used by the algorithm. The new variant, however, made more substantial changes to the algorithm with modifications to the DGA algorithm flow and overall behavior. Some of these changes include:
- A change in the possible top-level domains for the generated domains.
The new top-level-domain list contains “ru, info, biz, click, su, work, pl, org, pw and xyz” extensions.
- A prolog routine within the DGA algorithm responsible for value calculation has significantly changed from a single iteration to multi-iteration while adding additional XOR operations and constants into its operation.
System artifacts are always a key factor used by security vendors to detect the presence of any type of malware. One of Locky’s most famous, consistent and apparent artifacts is the presence of text and image files, which contain the payment and decryption instructions. In previous Locky variants, the file name was “_Locky_recover_instructions”. In the new version, the file name is “HELP_instructions.txt”. This small change may seem irrelevant, but is probably the reason for many missed detections of the new variant.
The message containing payment instructions remains mostly the same.
The new Locky variant was first detected a week prior to the writing of this post and the evasive changes it introduces make its current detection rate much lower than its predecessor. While Check Point’s ThreadCloud has not reported a very large number of detections for this new variant, this can be explained by the sudden shift of infection infrastructure to a new, less-popular exploit kit. Based on the high profit potential it holds, we expect to see many more infections by this new variant in the future.
Check Point’s customers using SandBlast, IPS blade and Anti-bot products are protected against this new Locky variant.
Indicators of Compromise