Home / malwarePDF  

Ransom:Win32/Locky.A


First posted on 18 February 2016.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Locky.A.

Explanation :

Installation

This threat can be installed when you open an attachment, usually as a Word file (.doc), from a spam email. The file contains a macro which downloads the ransomware and runs it in your PC.

This threat can create files on your PC, including:



  • _Locky_recover_instructions.txt



  • _Locky_recover_instructions.bmp



  • %temp%\svchost.exe - locky ransomware



  • [ID][identifier].locky (encrypted files)



It modifies the registry so that it runs each time you start your PC, as part of its installation routine For example:



In subkey: HKEY_CURRENT_USER\Software\Locky
Sets value: "id"
With data: "8C05983C8B06FC65" --> ID of the victim

In subkey: HKEY_CURRENT_USER\Software\Locky
Sets value: "pubkey"
With data: hex:06,02,00,00,00,a4,00,00,52,53,41,31,00,08,00 €¦ -->RSA public key

In subkey: HKEY_CURRENT_USER\Software\Locky
Sets value: "paytext"
With data: hex:ef,bb,bf,20,20,20,20,20,20,20,20,20,20,20,20,21,21,21,20,49,4d,50,4f,
52,54,41,4e,54,20,49,4e,46,4f,52,4d,41,54,49,4f,4e,20,21,21,21,21,0d,0a,0d,
0a,41,6c,6c,20,6f,66,20,79,6f,75,72,20,66,69,6c,65,73,20,61,72,65,20,65,6e,
63,72,79,70,74,65,64,20,77,69,74,68,20,52,53,41,2d,32,30,34,38,20,61,6e,64,
20,41,45,53,2d,31,32,38,20,63,69,70,68,65,72,73,2e,0d,0a,4d,6f,72,65,20,69,
6e,66,6f,72,6d,61,74,69,6f,6e,20,61,62,6f,75,74,20,74,68,65,20,52,53,41,20,
61,6e,64,20,41,45,53,20,63,61,6e,20,62,65,20,66,6f,75,6e,64,20,68,65,72,65,
3a,0d,0a,20,20,20,20,68,74,74,70,3a,2f,2f,65,6e,2e,77,69,6b,69,70,65,64,69,
61,2e,6f,72,67,2f,77,69,6b,69,2f,52,53,41,5f,28,63,72,79,70,74,6f,73,79,73,
74,65,6d,29,0d,0a,20,20,20,20,68,74,74,70,3a,2f,2f,65,6e,2e,77,69,6b,69,70,
65,64,69,61,2e,6f,72,67,2f,77,69,6b,69,2f,41,64,76,61,6e,63,65,64,5f,45,6e,
63,72,79,70,74,69,6f,6e,5f,53,74,61,6e,64,61,72,64,0d,0a,20,20,20,20,0d,0a,
44,65,63,72,79,70,74,69,6e,67,20,6f,66,20,79,6f,75,72,20,66,69,6c,65,73,20,
69,73,20,6f,6e,6c,79,20,70,6f,73,73,69,62,6c, --> This is the content of the _Locky_recover_instructions.txt

In subkey: HKEY_CURRENT_USER\Software\Locky
Sets value: "completed"
With data: "dword:00000001" --> If the ransomware has finished encrypting the machine



Payload


This ransomware can encrypt the files on your PC using a public key. The files can be decrypted with a private key stored in a remote server.

It encrypts files with the following extensions:€‹

.123 .djvu .mml .ppsm .tgz .602 .DOC .mov .ppsx .tif .3dm .docb .mp3 .PPT .tiff .3ds .docm .mp4 .pptm .txt .3g2 .docx .mpeg .pptx .uop .3gp .DOT .mpg .psd .uot .7z .dotm .ms11 .qcow2 .vb .aes .dotx .ms11 (Security copy) .rar .vbs .ARC .fla .MYD .raw .vdi .asc .flv .MYI .rb .vmdk .asf .frm .NEF .RTF .vmx .asm .gif .odb .sch .vob .asp .gpg .odg .sh .wav .avi .gz .odp .sldm .wb2 .bak .h .ods .sldx .wk1 .bat .hwp .odt .slk .wks .bmp .ibd .otg .sql .wma .brd .jar .otp .SQLITE3 .wmv .c .java .ots .SQLITEDB .xlc .cgm .jpeg .ott .stc .xlm .class .jpg .p12 .std .XLS .cmd .js .PAQ .sti .xlsb .cpp .key .pas .stw .xlsm .crt .lay .pdf .svg .xlsx .cs .lay6 .pem .swf .xlt .csr .ldf .php .sxc .xltm .CSV .m3u .pl .sxd .xltx .db .m4u .png .sxi .xlw .dbf .max .pot .sxm .xml .dch .mdb .potm .sxw .zip .dif .mdf .potx .tar wallet.dat .dip .mid .ppam .tar.bz2 .djv .mkv .pps .tbk

The ransomware skips files with the following path name and filename in one of its strings:

  • $Recycle.Bin
  • Appdata
  • Application data
  • Boot
  • Program Files
  • Program files (x86)
  • System Volume Information
  • temp
  • thumbs.db
  • tmp
  • Windows
  • winnt


It renames encrypted files using the following format:

  • [ID][identifier].locky


Examples:

  • 8C05983C8B06FC65A0A9F44EDE9CA812.locky
  • 8C05983C8B06FC65A1E1405B2324F5A5.locky


It also deletes all volume shadow copies, changes the desktop wallpaper, opens the _Locky_recover_instructions.txt and displays the same ransom image to tell you that you can recover the files using a personal link that directs you to a TOR webpage asking for payment (inaccessible at the time of writing).



We have seen it contact the following URLs which are currently unavailable:

  • hxxp://vjwmpxseu.fr/main.php
  • hxxp://jywdohhfkypg.de/main.php
  • hxxp://blydeylrayu.it/main.php
  • hxxp://obvpxgcohmpsou.it/main.php
  • hxxp://cqvgwp.uk/main.php
  • hxxp://tdxgp.eu/main.php
  • hxxp://109.234.38.35/main.php




Analysis by Donna Sibangan

Last update 18 February 2016

 

TOP

Malware :

Family: