Home / malware Win32/Locky
First posted on 05 May 2016.
Source: MicrosoftAliases :
There are no other names known for Win32/Locky.
Explanation :
Installation
This ransomware can be installed when you open an attachment, usually as a Word file (.doc), from a spam email. Aside from Office documents, this threat can also use other downloaders such as .JS and .BAT files as attachments in spam emails. The file contains a macro which downloads the ransomware and runs it in your PC.
It can also be downloaded by TrojanDownloader:JS/Nemucod, TrojanDownloader:JS/Swabfex, TrojanDownloader:JS/Locky, TrojanDownloader:Win32/Locky or through exploit kits.
This threat can create files on your PC, including:
_HELP_instructions.txt
_Locky_recover_instructions.txt
_Locky_recover_instructions.bmp
%temp%\svchost.exe - locky ransomware
[ID][identifier].locky (encrypted files)
It modifies the registry so that it runs each time you start your PC, as part of its installation routine For example:
In subkey: HKEY_CURRENT_USER\Software\Locky
Sets value: "id"
With data: "8C05983C8B06FC65" --> ID of the victim
In subkey: HKEY_CURRENT_USER\Software\Locky
Sets value: "pubkey"
With data: hex:06,02,00,00,00,a4,00,00,52,53,41,31,00,08,00 … -->RSA public key
In subkey: HKEY_CURRENT_USER\Software\Locky
Sets value: "paytext"
With data: hex:ef,bb,bf,20,20,20,20,20,20,20,20,20,20,20,20,21,21,21,20,49,4d,50,4f,
52,54,41,4e,54,20,49,4e,46,4f,52,4d,41,54,49,4f,4e,20,21,21,21,21,0d,0a,0d,
0a,41,6c,6c,20,6f,66,20,79,6f,75,72,20,66,69,6c,65,73,20,61,72,65,20,65,6e,
63,72,79,70,74,65,64,20,77,69,74,68,20,52,53,41,2d,32,30,34,38,20,61,6e,64,
20,41,45,53,2d,31,32,38,20,63,69,70,68,65,72,73,2e,0d,0a,4d,6f,72,65,20,69,
6e,66,6f,72,6d,61,74,69,6f,6e,20,61,62,6f,75,74,20,74,68,65,20,52,53,41,20,
61,6e,64,20,41,45,53,20,63,61,6e,20,62,65,20,66,6f,75,6e,64,20,68,65,72,65,
3a,0d,0a,20,20,20,20,68,74,74,70,3a,2f,2f,65,6e,2e,77,69,6b,69,70,65,64,69,
61,2e,6f,72,67,2f,77,69,6b,69,2f,52,53,41,5f,28,63,72,79,70,74,6f,73,79,73,
74,65,6d,29,0d,0a,20,20,20,20,68,74,74,70,3a,2f,2f,65,6e,2e,77,69,6b,69,70,
65,64,69,61,2e,6f,72,67,2f,77,69,6b,69,2f,41,64,76,61,6e,63,65,64,5f,45,6e,
63,72,79,70,74,69,6f,6e,5f,53,74,61,6e,64,61,72,64,0d,0a,20,20,20,20,0d,0a,
44,65,63,72,79,70,74,69,6e,67,20,6f,66,20,79,6f,75,72,20,66,69,6c,65,73,20,
69,73,20,6f,6e,6c,79,20,70,6f,73,73,69,62,6c, --> This is the content of the _Locky_recover_instructions.txt
In subkey: HKEY_CURRENT_USER\Software\Locky
Sets value: "completed"
With data: "dword:00000001" --> If the ransomware has finished encrypting the machine
Payload
This ransomware can encrypt the files on your PC using a public key. The files can be decrypted with a private key stored in a remote server.
Before it encrypts files, it connects to its C2 server to relay encrypted information about the machine using a hardcoded IP address in the binary.
If that is not accessible, it will use its Domain Generation Algorithm (DGA) to connect to other available servers.
Once it has received a reply from its remote server, it will start encrypting files in the system and receive the ransom note with the user's personal Tor payment website.
It encrypts files with the following extensions:​
0.001 .dip .ms11 (Security copy) .SQLITE3 0.002 .djv .MYD .SQLITEDB 0.003 .djvu .MYI .stc 0.004 .DOC .n64 .std 0.005 .docb .NEF .sti 0.006 .docm .odb .stw 0.007 .docx .odg .svg 0.008 .DOT .odp .swf 0.009 .dotm .ods .sxc 0.01 .dotx .odt .sxd 0.011 .fla .onetoc2 .sxi 0.123 .flv .otg .sxm 0.602 .forge .otp .sxw .3dm .frm .ots .tar .3ds .gif .ott .tar .3g2 .gpg .p12 .tbk .3gp .gz .PAQ .tgz .7z .hwp .pas .tif .aes .ibd .pdf .tiff .apk .iwi .pem .txt .ARC .jar .php .uop .asc .java .pl .uot .asf .jpeg .png .upk .asm .jpg .pot .vb .asp .js .potm .vbs .asset .key .potx .vdi .avi .lay .ppam .vmdk .bak .lay6 .pps .vmx .bat .lbf .ppsm .vob .bik .ldf .ppsx .wallet .bmp .litemod .PPT .wav .brd .litesql .pptm .wb2 .bsa .ltx .pptx .wk1 .bz2 .m3u .psd .wks .cgm .m4a .pst .wma .class .m4u .qcow2 .wmv .cmd .max .rar .xlc .cpp .mdb .raw .xlm .crt .mdf .rb .XLS .cs .mid .re4 .xlsb .csr .mkv .RTF .xlsm .CSV .mml .sav .xlsx .d3dbsp .mov .sch .xlt .das .mp3 .sh .xltm .db .mp4 .sldm .xltx .dbf .mpeg .sldx .xlw .dch .mpg .slk .xml .dif .ms11 .sql .zip
It drops _HELP_instructions.txt into folders where it has encrypted user files.
The text file contains a link to webpage that has a personalized Bitcoin address and instructions on how to pay the ransom:
The ransomware skips files with the following path name and filename in one of its strings:
- $Recycle.Bin
- Appdata
- Application data
- Boot
- Program Files
- Program files (x86)
- System Volume Information
- temp
- thumbs.db
- tmp
- Windows
- winnt
It renames encrypted files using the following format:
- [ID][identifier].locky
Examples:
- 8C05983C8B06FC65A0A9F44EDE9CA812.locky
- 8C05983C8B06FC65A1E1405B2324F5A5.locky
It also deletes all volume shadow copies, changes the desktop wallpaper, opens the _Locky_recover_instructions.txt and displays the same ransom image to tell you that you can recover the files using a personal link that directs you to a TOR webpage asking for payment (inaccessible at the time of writing).
We have seen it contact the following URLs which are currently unavailable:
- hxxp://vjwmpxseu.fr/main.php
- hxxp://jywdohhfkypg.de/main.php
- hxxp://blydeylrayu.it/main.php
- hxxp://obvpxgcohmpsou.it/main.php
- hxxp://cqvgwp.uk/main.php
- hxxp://tdxgp.eu/main.php
- hxxp://109.234.38.35/main.php
Analysis by Donna Sibangan and Marianne MallenLast update 05 May 2016