Reflective Essay on Locky Ransomware

History of Locky ransomware

Locky is a strain of the ransomware malware family. Discovered in mid-February 2016, this file-encrypting outbreak proved to be sophisticated enough to be undetectable under the radar of common antimalware defenses. It was the product of an organized group of hackers who are proficient in implementing cryptography, pulling a data-locking mechanism that security experts have yet to find a proper response for. The latter had the ability to encrypt over 160 file types when it was first launched. In 2016, Locky represented more than 76% of all malware distributed [1] and within 8 months since the discovery of Locky ransomware, 5 versions of the malware were already out harvesting ransom money.

Version 1.0

Scrambled victims’ filenames, turning each one into a string of 32 hexadecimal characters, and added the .locky extension. The filename could be written as “8469F0FE8432F4F84DCC48462F435454.locky” and a ransom note named “_Locky_recover_instructions.txt” was found on the desktop.

Version 2.0

The second version was out in early August 2016 and the filenames were renamed into a string of 32 hexadecimal characters just like version 1.0, however, the name contained hyphens, separating the name into blocks and the file extension was now .zepto. The filename is written as “034BDC22-54D4-ABD4-F065-F642E772A851.zepto” and a ransom note named “_HELP_instructions.html.” is placed on the desktop. Furthermore, the background of the desktop is changed to a BM version of the description manual. It had the ability to encrypt files even when the machine was not connected to the internet as the ransomware contained the keys used to encrypt data in its codes.

Version 3.0

The offline encryption was abolished in the third version. The filenames extension was now .odin and the ransom note found on the desktop was now renamed as “_HOWDO_text.html”. The installation method was modified; Locky was now being installed via an encrypted DLL installer.

Version 4.0

Offline encryption made a comeback in this version and the file extension was now “.shit”. The ransom notes were renamed as “_WHAT_is.html”.

Version 5.0

Less than 24 hours after the release of version 4.0, version 5.0 was released. The only difference was that the file extension was renamed from “.shit” to “.thor”. In August 2017, two new variants of the Locky ransomware were detected namely Diablo and Lukitus. They have the extension “.diablo6” and “.Lutikus” respectively. The only difference from the Locky ransomware of 2016 was the way of distributing the malware.

Background of the attack

The attack starts when the victim receives a spam email with the malware files attached as .doc, .xls, or zip files. What attackers generally do is to use different names and attachments in every malicious e-mail, in order to dodge detection by security products. The email message contains a subject similar to ATTN: Invoice J-98223146 and a message such as ‘Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice’. An example of one of these emails can be seen below.

The files received contain macros that look like scrambled text. An example of one of these attachments can be seen below.

Once the victims enable macros by clicking on the “enable content”, the malicious software is downloaded from an infected website, stored in the %Temp% folder, and starts to execute encrypting the victim’s files. The time between the download and the execution of the malicious code is just a few seconds. The malware usually attacks local drives; fixed, removable, and RAM disks. Network resources are also attacked on some versions. Encrypted files are given a new filename to a unique 16-letter and digit combination with different file extensions such as .diablo6, .locky, .odin, .zepto, .aesir, .thor or .osiris depending on the version of the locky ransomware. The files that are encrypted are now inaccessible to the victim. Locky ransomware searches mostly for files with the following extension to encrypt: .pdf, .rar, .bat, .mpeg, .qcow2, .vmdk .tar.bz2, .djvu, .jpeg, .tiff, .class, .java, .SQLITEDB, .SQLITE3, .lay6, .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .potx, .potm, .pptx, .pptm, .xltx, .xltm, .xlsx, .xlsm .asm, .c, .cpp, .h, .png, txt, .cs, .gif, .jpg, .rtf, .xml, .zip, .asc, .xlsb, .dotm, .dotx, .docm, .docx, wallet.dat, etc. However, Locky will skip any files where the full pathname and filename contain one of the following strings: tmp, WinNT, Application Data, AppData, Program Files (x86), Program Files, temp, and thumbs.db, $Recycle.Bin, System Volume Information, Boot, Windows. As part of the encryption process, Locky will also delete all of the Shadow Volume Copies on the machine so that they cannot be used to restore the victim’s files. Locky does this by executing the following command: vssadmin.exe Delete Shadows /All /Quiet After the encryption process, Locky ransomware displays a ransom note found on the desktop and in all folders where the files have been encrypted. The wallpaper of the desktop is also modified according to the version of the ransomware. The wallpaper is a bitmap of the contents of the ransom note. The victim is also provided with a webpage that contains instructions on how to proceed with the payment of the ransom.

Locky ransomware stores various information in the registry under the following keys: • HKCUSoftwareLockyid – The unique ID assigned to the victim. • HKCUSoftwareLockypubkey – The RSA public key. • HKCUSoftwareLockypaytext – The text that is stored in the ransom notes. • HKCUSoftwareLockycompleted – Whether the ransomware finished encrypting the computer Inside the Locky ransom notes are links to a Tor site called the Locky Decrypter Page. This page is located at 6dtxgqam4crv6rr6.onion and contains the number of bitcoins to send as payment, how to purchase the bitcoins and the bitcoin address you should send payment to. Once a victim sends payment to the assigned Bitcoin address, this page will provide a decrypter that can be used to decrypt their files.

Technical details of Locky Locky is a script-based ransomware that works by executing commands embedded within a script. Most often, script-based ransomware removes the original script file upon completing the encryption process and the malware operation codes would only stay in-memory. The latter uses all high-end features, such as a domain generation algorithm (DGA), custom encrypted communication, TOR/Bitcoin payment, and strong Hybrid encryption (RSA-2048 + AES-128 cipher with Electronic Code Book (ECB) mode) to encrypt files. Command and control servers (C&C Servers) Locky contains hard-coded IP addresses of C&C (Command and Control) servers and also uses a domain generation algorithm, which is probably used as a backup in case the main hard-coded IPs are blocked. The servers are used for the purpose of reporting infections to get an overview of the number of impacts and the exchange of encryption keys. Domain Generation Algorithm (DGA) The first version of the domain generation algorithm found in the earlier versions of Locky was based on two hard-coded seeds and the current system time of an infected machine. Later, as the malware was better known to anti-viruses and after a quick domain block, more and more sophisticated DGAs were written. The version of DGA below is based on seed value hardcoded to malware binary and the seed can be changed at any time or in every sample released. It generates 8 unique domains every two days.

Locky is reported to make network connections to the following addresses: 185.14.30.97, 195.154.241.208, 195.22.28.196, 195.22.28.198, 31.41.47.37, 95.181.171.58, avp-mech.ru, bebikiask.bc00.info, cgavqeodnop.it, cms.insviluppo.net, dltvwp.it, kqlxtqptsmys. in, neways-eurasia.com.ua, premium34.tmweb.ru, pvwinlrmwvccuo.eu, sso.anbtr.com, test.rinzo.biz, tramviet.vn, uponor.otistores.com, uxvvm.us, wblejsfob.pw. The versions of the DGA use Top Level Domains: .be, .de, .eu, .fr, .in, .it, .nl, .pm, .pw, .ru, .tf, .uk, .us, .yt. Command and control communication All C&C requests are in a specific format: HTTP/1.1 POST http://{hardcoded_IP_or_DGA}/.main.php?{parameters} Parameters The malware computes a User ID and gathers some information about the infected machine. The User ID is not randomly generated but is instead computed as an MD5 hash of volume mount point GUID from the infected machine’s hard disk. Locky checks the infected device’s operating system version and checks if it is a 32/64 bit version, has the original installed service pack, and which language the PC is set to, to determine in which language it should show the ransom message. The parameters AffiliateID, C&C command, and two other parameters &corp= and &serv= are also requested by the C&C server. The Affiliate ID value is hard-coded inside Locky’s binary. We found AffiliateIDs with the values 0, 1, and 3.

The table below shows some of the parameters of Locky C&C: Parameter What it does do? get key Request public RSA key. stats&path + encrypted, failed, length Global statistics of encryption and paths of encrypted files. report&data List of all encrypted files. gettext&lang Request Locky language files. The malware traffic is encrypted using two different algorithms for incoming and outgoing requests. Both algorithms contain specific hard-coded keys. They both include an MD5 hash as a cyclic redundancy check (CRC) of the data content.

File Encryption

Locky ransomware starts encrypting files only after it reports the infection to the C&C server and gets back the RSA public key. The latter does not begin encrypting files without a requested RSA key or when a device does not have an active internet connection. Public and private RSA keys for every infection are generated on the server’s side, so manual decryption is clearly impossible. Attackers use RSA-2048 + AES-128 cipher with ECB mode for file encryption. All encrypted files are renamed to form {USERID}{random_hash} with .locky extension.

Types of files that are encrypted by locky Locky malware can encrypt 164 file types that can be broken down into 11 categories: 1. Office/Document files(62 types) – .123, .602, CSV, .dif. DOC, .docb, .docm, .docx, .DOT, .dotm, .dotx, .hwp, .mml, .odg, .odp, .ods, .odt, .otg, .otp, .ots, .ott, .pdf, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .PPT, .pptm, .pptx, .RTF, .sldm, .sldx, .slk, .stc, .std, .sti, .stw, .sxc, .sxd, .sxi, .sxm, .sxw, .txt, .uop, .uot, .wb2, .wk1, .wks, .xlc, .xlm, .XLS, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml 2. Scripts/Source codes (23 types): – .asm, .asp, .bat, .brd, .c, .class, .cmd, .cpp, .cs, .dch, .dip, .h, .jar, .java, .js, .pas, .php, .pl, .rb, .sch, .sh, .vb, .vbs 3. Media files (20 types): – .3g2, .3gp, .asf, .avi, .fla, .flv, .m3u, .m4u, .mid, .mkv, .mov, .mp3, .mp4, .mpeg, .mpg, .swf, .vob, .wav, .wma, .wmv 4. Graphic/Image files (14 types): – .bmp, .cgm, .djv, .djvu, .gif, .jpeg, .jpg, .NEF, .png, .psd, .raw, .svg, .tif, .tiff 5. Database files (14 types): – .db, .dbf, .frm, .ibd, .ldf, .mdb, .mdf, .MYD, MYI, .odb, .onenotec2, .sql, .SQLITE3, .SQLITEDB 6. Archives (11 types): – .7z, .ARC, .bak, .gz, .PAQ, .rar, .tar, .bz2, .tbk, .tgz, .zip 7. CAD/CAM/3D files (8 types) – .3dm, .3ds, .asc, .lay, .lay6, .max, .ms11, .ms11 (Security copy) 8. Certificates (5 types): – .crt, .csr, .key, .p12, .pem 9. Virtual HDD (4 types): – .qcow2, .vdi, .vmdk, .vmx 10. Data encryption (2 types): – .aes, .gpg 11. Virtual currency (1 type): – wallet.dat Locky also adds a “_Locky_recover_instructions.txt” file to every directory with encrypted files and also sets “_Locky_recover_instructions.bmp” as desktop wallpaper. Russian PCs are not included The newer version of the malware contains a new hard-coded configuration value to disable Locky’s encryption on PCs whose locale is set to Russia or whose language is set to Russian (0x19). The hard-coded configuration value also determines how long Locky should remain dormant after its execution to avoid sandbox detections. Do any vulnerabilities in systems permit the attack of locky? https://blog.trendmicro.com/trendlabs-security-intelligence/locky-ransomware-spreads-flash-windows-kernel-exploits/ https://www.bleepingcomputer.com/news/security/windows-10-security-alert-vulnerabilities-found-in-over-40-drivers/ The extent of the threat Broaden the security impact of this attack/threat At the start of the locky spam campaign, RAR attachments were sent in emails to victims. Later, JavaScript and VBScript attachments were used to easily trick anti-virus software. The last versions of Locky used Windows Scripting file (WSF) attachments and finally the latest versions used DLLs and . HTA file attachments for the distribution process. The social and financial impact of such attacks

References

    1. Drowning in ransomware – courtesy of halon URL: https://halon.io/blog/wp-content/uploads/2017/06/Cyren_Ransomware_Threat_Report_20170526_a4_Halon-20170627.pdf https://www.kaspersky.com. 2017. What are the different types of ransomware? [ONLINE] Available at: https://www.kaspersky.com/resource-center/threats/ransomware-examples. [Accessed 15 October 2019]. Report – min 3k words Title: Locky Ransomware