Home / malware Ransom:Win32/Locky
First posted on 25 October 2019.
Source: MicrosoftAliases :
Ransom:Win32/Locky is also known as Trojan.Encoder.3976, Win32/Filecoder.Locky.A trojan, Malicious_Behavior.VEX.99, Trojan.Win32.FileCoder, Trojan-Ransom.Win32.Locky.d, Trojan.Cryptolocker.AF, Ransom_LOCKY.A.
Explanation :
Installation
This ransomware can be installed when you open an attachment, usually as a Word file (.doc), from a spam email. Aside from Office documents, this threat can also use other downloaders such as .JS and .BAT files as attachments in spam emails. The file contains a macro which downloads the ransomware and runs it in your PC.
It can also be downloaded by TrojanDownloader:JS/Nemucod, TrojanDownloader:JS/Swabfex, TrojanDownloader:JS/Locky, TrojanDownloader:Win32/Locky or through exploit kits.
This threat can create files on your PC, including:
_HELP_instructions.txt
_Locky_recover_instructions.txt
_Locky_recover_instructions.bmp
%temp%svchost.exe - locky ransomware
[ID][identifier].locky (encrypted files)
It modifies the registry so that it runs each time you start your PC, as part of its installation routine For example:
In subkey: HKEY_CURRENT_USERSoftwareLocky
Sets value: "id"
With data: "8C05983C8B06FC65" --> ID of the victim
In subkey: HKEY_CURRENT_USERSoftwareLocky
Sets value: "pubkey"
With data: hex:06,02,00,00,00,a4,00,00,52,53,41,31,00,08,00 … -->RSA public key
In subkey: HKEY_CURRENT_USERSoftwareLocky
Sets value: "paytext"
With data: hex:ef,bb,bf,20,20,20,20,20,20,20,20,20,20,20,20,21,21,21,20,49,4d,50,4f,
52,54,41,4e,54,20,49,4e,46,4f,52,4d,41,54,49,4f,4e,20,21,21,21,21,0d,0a,0d,
0a,41,6c,6c,20,6f,66,20,79,6f,75,72,20,66,69,6c,65,73,20,61,72,65,20,65,6e,
63,72,79,70,74,65,64,20,77,69,74,68,20,52,53,41,2d,32,30,34,38,20,61,6e,64,
20,41,45,53,2d,31,32,38,20,63,69,70,68,65,72,73,2e,0d,0a,4d,6f,72,65,20,69,
6e,66,6f,72,6d,61,74,69,6f,6e,20,61,62,6f,75,74,20,74,68,65,20,52,53,41,20,
61,6e,64,20,41,45,53,20,63,61,6e,20,62,65,20,66,6f,75,6e,64,20,68,65,72,65,
3a,0d,0a,20,20,20,20,68,74,74,70,3a,2f,2f,65,6e,2e,77,69,6b,69,70,65,64,69,
61,2e,6f,72,67,2f,77,69,6b,69,2f,52,53,41,5f,28,63,72,79,70,74,6f,73,79,73,
74,65,6d,29,0d,0a,20,20,20,20,68,74,74,70,3a,2f,2f,65,6e,2e,77,69,6b,69,70,
65,64,69,61,2e,6f,72,67,2f,77,69,6b,69,2f,41,64,76,61,6e,63,65,64,5f,45,6e,
63,72,79,70,74,69,6f,6e,5f,53,74,61,6e,64,61,72,64,0d,0a,20,20,20,20,0d,0a,
44,65,63,72,79,70,74,69,6e,67,20,6f,66,20,79,6f,75,72,20,66,69,6c,65,73,20,
69,73,20,6f,6e,6c,79,20,70,6f,73,73,69,62,6c, --> This is the content of the _Locky_recover_instructions.txt
In subkey: HKEY_CURRENT_USERSoftwareLocky
Sets value: "completed"
With data: "dword:00000001" --> If the ransomware has finished encrypting the machine
Payload
This ransomware can encrypt the files on your PC using a public key. The files can be decrypted with a private key stored in a remote server.
Before it encrypts files, it connects to its C2 server to relay encrypted information about the machine using a hardcoded IP address in the binary.
If that is not accessible, it will use its Domain Generation Algorithm (DGA) to connect to other available servers.
Once it has received a reply from its remote server, it will start encrypting files in the system and receive the ransom note with the user's personal Tor payment website.
It encrypts files with the following extensions:
0.001 .dip .ms11 (Security copy) .SQLITE3 0.002 .djv .MYD .SQLITEDB 0.003 .djvu .MYI .stc 0.004 .DOC .n64 .std 0.005 .docb .NEF .sti 0.006 .docm .odb .stw 0.007 .docx .odg .svg 0.008 .DOT .odp .swf 0.009 .dotm .ods .sxc 0.01 .dotx .odt .sxd 0.011 .fla .onetoc2 .sxi 0.123 .flv .otg .sxm 0.602 .forge .otp .sxw .3dm .frm .ots .tar .3ds .gif .ott .tar .3g2 .gpg .p12 .tbk .3gp .gz .PAQ .tgz .7z .hwp .pas .tif .aes .ibd .pdf .tiff .apk .iwi .pem .txt .ARC .jar .php .uop .asc .java .pl .uot .asf .jpeg .png .upk .asm .jpg .pot .vb .asp .js .potm .vbs .asset .key .potx .vdi .avi .lay .ppam .vmdk .bak .lay6 .pps .vmx .bat .lbf .ppsm .vob .bik .ldf .ppsx .wallet .bmp .litemod .PPT .wav .brd .litesql .pptm .wb2 .bsa .ltx .pptx .wk1 .bz2 .m3u .psd .wks .cgm .m4a .pst .wma .class .m4u .qcow2 .wmv .cmd .max .rar .xlc .cpp .mdb .raw .xlm .crt .mdf .rb .XLS .cs .mid .re4 .xlsb .csr .mkv .RTF .xlsm .CSV .mml .sav .xlsx .d3dbsp .mov .sch .xlt .das .mp3 .sh .xltm .db .mp4 .sldm .xltx .dbf .mpeg .sldx .xlw .dch .mpg .slk .xml .dif .ms11 .sql .zip
It drops _HELP_instructions.txt into folders where it has encrypted user files.
The text file contains a link to webpage that has a personalized Bitcoin address and instructions on how to pay the ransom:
The ransomware skips files with the following path name and filename in one of its strings:
$Recycle.Bin Appdata Application data Boot Program Files Program files (x86) System Volume Information temp thumbs.db tmp Windows winnt
It renames encrypted files using the following format:
[ID][identifier].locky
Examples:
8C05983C8B06FC65A0A9F44EDE9CA812.locky 8C05983C8B06FC65A1E1405B2324F5A5.locky
It also deletes all volume shadow copies, changes the desktop wallpaper, opens the _Locky_recover_instructions.txt and displays the same ransom image to tell you that you can recover the files using a personal link that directs you to a TOR webpage asking for payment (inaccessible at the time of writing).
We have seen it contact the following URLs which are currently unavailable:
hxxp://vjwmpxseu.fr/main.php hxxp://jywdohhfkypg.de/main.php hxxp://blydeylrayu.it/main.php hxxp://obvpxgcohmpsou.it/main.php hxxp://cqvgwp.uk/main.php hxxp://tdxgp.eu/main.php hxxp://109.234.38.35/main.php
Analysis by Donna Sibangan and Marianne MallenLast update 25 October 2019
