The Locky ransomware is a malicious code breed that poses elevated risk due to sizeable stealth, large attack surface and sophisticated money extortion tactic.
What is Locky ransomware? (May 2017)
The extortion contrivance called the Locky ransomware demonstrates that cybercriminals are obviously in pursuit of new operational mechanisms. Said infection is out-of-the-ordinary because its spreading mode differs from the analogs, and it covers a greater scope of victim data if the attack succeeds. When this infection originally emerged in February 2016, the most prominent indicators of compromise included the .locky extension added at the end of encrypted files, as well as the ransom walkthroughs titled _Locky_recover_instructions.txt. The latest variant circulating since April 2017, though, features quite a few tweaks and enhancements.
The current Locky spinoff appends the .osiris extension to hostage data entries and drops an updated set of recovery how-to’s named OSIRIS-[4_chars].htm and OSIRIS.bmp. The latter documents show up in all folders the contents of which underwent the detrimental impact of the virus. The affected files, in their turn, assume a weird shape and look similar to this: 8361F0GE–9589–G5F7–C9B07218–D472R0F58112.osiris. The filenames now consist of 36 random hexadecimal characters followed by the version-specific extension.
Of course, the user can no longer open any of these files – not because they were renamed but due to a combo of RSA-2048 and AES-128 ciphers that the ransomware applied. Locky roams through the local drive volumes, external data peripherals such as USB memory sticks or an additional HDD, and network drives. The goal is to find the bits of information with the most widespread extensions. This way, the malware can hit below the belt as it subsequently encodes one’s personal files while disregarding various objects that are auxiliary for the operating system.
After the encryption job has been finished, the Trojan replaces the admin’s wallpaper with a warning image called DesktopOSIRIS.bmp, which provides step-by-step recommendations regarding data redemption. Replicated in the above-mentioned OSIRIS-[4_chars].htm document, these help files instruct the victim to follow a Tor link for further advice. The linked-to online spot is in fact the Locky Decryptor Page hosted on the dark web, where the hijacked computer user can remit the ransom of 0.5 BTC, or about $800, and download the decoding software afterwards.
Locky ransomware is also non-standard in the context of circulation. Rather than use exploit kits, the miscreants behind it are mass-spamming potential victims with rogue invoices, job offers, scanned images of important documents and the like. The Microsoft Word file that goes with these emails looks innocuous, but it has got a trick in it. When a user opens the file, the text is indiscernible because the document is supposedly “protected”. However, a little prompt says this problem can be rectified by enabling macros. Unfortunately, a lot of users fall for this hype, activate known-vulnerable macros manually and thus allow the attackers to run their code on the computer. If this happens, the cyber offensive is extremely difficult to handle, but not impossible. Read the following tips to find out how you can reinstate your data without paying a cent to the crooks.
Automated removal of .locky file virus
Owing to an up-to-date database of malware signatures and intelligent behavioral detection, the recommended software can quickly locate the infection, eradicate it and remediate all harmful changes. So go ahead and do the following:
1. Download and install the antimalware tool. Open the solution and have it check your PC for PUPs and other types of malicious software by clicking the Start Computer Scan button
2. Rest assured the scan report will list all items that may harm your operating system. Select the detected entries and click Fix Threats to get the troubleshooting completed.
Data recovery toolkit to the rescue
Some strains of ransomware delete the original files after the encryption routine has been completed. As hostile as this activity appears, it can play into your hands. There are applications designed to revive the information that was obliterated because of malfunctioning hardware or due to accidental removal. The tool called Data Recovery Pro by ParetoLogic features this type of capability therefore it can be applied in ransom attack scenarios to at least get the most important files back. So download and install the program, run a scan and let it do its job.
Locky ransomware manual removal
Some ransomware strains terminate themselves after completing the encryption job on a computer, but some don’t. Furthermore, the Locky virus may prevent victims from using popular antimalware tools in order to stay on board for as long as possible. Under the circumstances, it may be necessary to utilize the Safe Mode with Networking or System Restore functionality.
- Restart the machine. When the system begins loading back up, keep pressing the F8 key with short intervals. The Windows Advanced Options Menu (Advanced Boot Options) screen will appear.
- Use arrow keys to select Safe Mode with Networking and hit Enter. Log on with the user account infected by the ransomware.
- Click on the Search icon next to the Start menu button. Type msconfig in the search field and select the System Configuration option in the results. Go to the Boot tab in the upper part of the GUI.
- Under Boot options, select Safe boot and click the Apply button. A prompt will appear to reboot the computer so that the changes take effect. Select the Restart option and wait for the system to load into Safe Mode. Again, log on with the ransomware-stricken user account.
In Safe Mode, the ransom Trojan won’t keep security software from running or otherwise thwart troubleshooting. Open your preferred web browser, download and install an antimalware tool of choice and start a full system scan. Have all the detected ransomware components removed in a hassle-free way.
- Open Windows Advanced Options Menu as described in the previous section: hit F8 repeatedly when the PC is starting up. Use arrow keys to highlight the Safe Mode with Command Prompt entry. Hit Enter.
- In the Command Prompt window, type cd restore and hit Enter
- Type rstrui.exe in the new command line and press Enter
- When the System Restore screen pops up, click Next, select a restore point that predates the contamination, and use the application’s controls to roll back the system to this earlier state.
Be advised that even after the ransomware is removed, files will still be encrypted and inaccessible. The malicious code cleanup part, however, is important because it keeps a relapse of the infection from occurring further on and eliminates all opportunistic malware.
Checking one’s options regarding this workaround is doable in two ways: through the Properties menu of each file or by means of the remarkable open-source tool called Shadow Explorer. We recommend the software-based way because it’s automated, hence faster and easier. Just install the app and use its intuitive controls to get previous versions of the encrypted objects reinstated.
Alternatively, you can leverage the Previous Versions feature, which is native to Windows operating system. This method is more cumbersome that the use of ShadowExplorer, but it can help restore the most important individual files on condition that the ransomware failed to disable the Volume Snapshot Service on the computer. Right-click on a file of choice and select Properties. Then, go to the Previous Versions tab as illustrated below.
Go ahead and pick the file’s latest backup version on the list. Use the Copy or Restore buttons to reinstate this object to a new path or to its original folder, respectively.
- Toggle your email provider’s anti-spam settings to filter out all the potentially harmful incoming messages. Raising the bar beyond the default protection is an important countermeasure for ransom Trojans.
- Define specific file extension restrictions in your email system. Make sure that attachments with the following extensions are blacklisted: .js, .vbs, .docm, .hta, .exe, .cmd, .scr, and .bat. Also, treat ZIP archives in received messages with extreme caution.
- Rename the vssadmin.exe process so that ransomware is unable to obliterate all Shadow Volume Copies of your files in one shot.
- Keep your Firewall active at all times. It can prevent crypto ransomware from communicating with its C&C server. This way, the threat won’t be able to obtain cryptographic keys and lock your files.
- Back up your files regularly, at least the most important ones. This recommendation is self-explanatory. A ransomware attack isn’t an issue as long as you keep unaffected copies of your data in a safe place.
- Use an effective antimalware suite. There are security tools that identify ransomware-specific behavior and block the infection before it can do any harm.
These techniques are certainly not a cure-all, but they will add an extra layer of ransomware protection to your security setup.
Learn how the Locky ransomware has evolved over time
There are ransomware samples out there whose devs cannot boast professional data encryption practices, which has allowed researchers to create workarounds for decrypting hostage files. Some examples include the Globe, DXXD, DMA Locker, and 7ev3n strains. On the other hand, there are ransom Trojans like Locky, which cripple victims’ files beyond recovery. In that case, the only viable way to recover is to cough up a specific amount of cryptocurrency being extorted. Although this perpetrating program was discovered back in February 2016, it is still uncrackable nine months after.
In order to be a moving target for security analysts, Locky is regularly updated. A total of five versions have been released up till now, each one featuring enhanced features to prevent reverse-engineering of the code and more robust crypto implementations. This article provides a comprehensive report on all variants of the Locky ransomware to date.
Upon intrusion, Locky version 1 would scan the hard disk, removable drives and mapped network shares for the user’s personal files. Everything detected in the course of this data scouring was subject to strong encryption. The ransomware used two different cryptosystems to deny the availability of files, namely RSA-2048 and AES-128. Filenames would change as well, morphing into unrecognizable entities similar to 7185F1FG7823F1F53N94DBB58671A345.locky. These were strings consisting of 32 hexadecimal chars followed by the .locky extension.
The ransomware also added ransom notes called “_Locky_recover_instructions.txt” to encoded folders and the machine’s desktop. It also changed the desktop background to a pre-designed image holding the same recovery instructions, including the user’s personal ID. According to these, the victim had to visit a site called the Locky Decryptor Page and use further details on it to submit 0.5 Bitcoins to the criminals. At that point, this sample stood out from the crowd because its code had no apparent flaws and the cryptographic facet was immaculate.
A new set of ransom manuals is another change included in the Zepto release. A combo of files called “_HELP_instructions.html” and “_HELP_instructions.bmp” took over the previous “_Locky_recover_instructions.txt” note. The structure of these help documents remained the same. Another invariable thing was the desktop background, which reflected the preliminary recovery steps just like before.
What did undergo an alteration, though, was the encryption method leveraged by some affiliates of the Locky hoax. The bad guys tried their hand at applying a cipher without requesting a public crypto key from a Command and Control server. When in this mode dubbed “autopilot”, the infection could do its filthy data scrambling job without being detected by firewalls and antimalware suites, which may identify suspicious traffic between an offending program and its C2 page. However, this technique had some shortcomings for the attackers. The main one is that it became impossible to track the number of ransomware installations, so the statistics weren’t as informative.
The proliferation method used to infect computers with Zepto was no longer backed by macros exploitation. Instead, the extortionists leveraged spam emails with ZIP archives that contained JS or WSF files. These malicious entities would be masqueraded as invoices, receipts, CVs or cancellation requests. Once a user clicked on them, the bad scripts would stealthily install the ransomware onto the system.
Along with downgrading the file encoding principle, Locky developers made a few more changes to their program. It appended the .odin tail to every skewed file. Filenames got renamed according to the same pattern that the Odin spinoff used. Victims learned the recovery steps from ransom manuals now named “_HOWDO_text.html” and “_HOWDO_text.bmp”. The ransom was still payable in Bitcoins and amounted to 0.5 BTC. To submit it, the infected users had to visit the already familiar Locky Decryptor page.
The propagation methodology exhibited a clear-cut focus on the spam vector. By leveraging a large botnet, the perpetrators launched a massive spam campaign that generated thousands of rogue emails on a daily basis. These emails were intended to dupe people into opening a malicious attachment that came in the form of a JS, WSF or HTA file enclosed within a ZIP archive. A significant change regarding the data encoding part of the modus operandi was that this variant switched back to the “autopilot” mode. The malefactors have been, obviously, trying to strike a golden mean between code obfuscation and stats tracking, so they keep experimenting with offline crypto.
The Thor iteration transforms one’s documents, images, databases, videos and other personal files into entries like ST8DRHBA-FG1M-XG4S-00F9-0B9157A80190.thor. Consequently, not only is it impossible to open them due to cryptographic changes, but it’s also unfeasible to work out what specific objects have been encoded. The ransomware drops decryption help files called “_WHAT_is.html/.bmp”. As before, these manuals, along with a warning wallpaper on the desktop, tell the victim to follow one of several available Tor links and thus visit the Locky Decryptor page.
The size of the ransom is still 0.5 Bitcoins, or about 350 USD. Overall, the use of digital cash is an immutable trend with online extortionists, because it helps them stay on the loose due to its inherent anonymity attributes. If the rest of the attack technicalities, including the data encryption process, are implemented immaculately, a ransomware sample is double trouble. Unfortunately, all of Locky’s spinoffs are like that.
The Aesir edition proliferates over email spam and a fairly uncommon Facebook phishing trick. The former method mainly relies on phony messages with the subject “Spam mailout” that misinform a victim of suspicious activity allegedly emanating from their address. The attachment, which is claimed to be the contents and logging of these purported spam messages, will execute the ransomware as soon as the unsuspecting recipient opens it. The distribution campaign on Facebook revolves around a malicious .svg image file that’s sent to users over Facebook’s Instant Messaging system.
The ransom notes created by the Aesir variant convey the same instructions as before. Their names, however, have been changed to -INSTRUCTION.html, _[random_number]-INSTRUCTION.html, and -INSTRUCTION.bmp. The desktop background with a warning message didn’t undergo any tweaks. Unfortunately, one more thing that the .aesir file ransomware edition has inherited from its forerunners is professional crypto. It is therefore still uncrackable, so users should be on the lookout for spam received over email or via social networking sites.
Just like the previous version, the Zzzzz alias of Locky scrambles filenames using randomly generated hexadecimal characters. Furthermore, it sticks with the same ransom note names, which are -INSTRUCTION.html, _[random_number]-INSTRUCTION.html, and -INSTRUCTION.bmp. On the outside, the only conspicuous change is the .zzzzz file extension. Another cross-version common denominator is that the InfoSec community is still helpless when it comes to decrypting Locky-mutilated data.
The filename tweaking principle underwent a noticeable modification, too. The ransomware substitutes the initial filenames with 36 hexadecimal characters, whereas the precursors would use 32. Moreover, the five groups of these characters are now separated by double dashes rather than single ones. It’s hard to say why this particular change took place, but it’s certainly a distinguishing feature of the Osiris spinoff.
One more thing that makes this edition stand out from the crowd is the unusual spam campaign distributing it. The outlaws in charge are dispersing emails with tricky Microsoft Excel documents on board. These are wrongfully claimed to be invoices, so the targeted people may get curious to see what’s inside. The spreadsheet turns out to be blank, with a security warning at the top recommending the user to enable Excel macros. By clicking the “Enable Content” button on the alert, the unsuspecting recipient triggers a macro that downloads the Osiris payload and runs it on the computer.
Unfortunately, the threat actors are tech-savvy enough to deploy the cryptographic part of their attacks immaculately, so researchers are yet to create a free decryptor. If there are no file backups available, those who fall victim to the Osiris ransomware may have to pay 0.5 Bitcoins to the malefactors.
The outbreak of the Locky-Osiris ransomware build in December 2016 was short-lived, gradually slowing down to a crawl by the end of the year. There was nothing but white noise from Locky ransomware architects throughout the first quarter of 2017. The Necurs botnet was generating hardly any malspam to prop the previously dominating extortion campaign, which ended up causing a dramatic decline in its distribution. However, the beast awakened in April 2017, when hardly anyone expected it to rise from the ashes.
The hallmark signs of the plague remained unaltered: it still scrambles filenames according to the same principle and concatenates the .osiris extension to each one. The set of ransom notes is identical, too. The new distribution wave is still backed by the Necurs botnet. This unexpected comeback of Locky is definitely disconcerting as its authors appear to be trying to re-invade the earlier niche and reach new heights.
When it comes to the Locky ransomware campaign, the security community is confronted with a skilled and very tech-savvy adversary. There are no weak links in the way this infection encodes data. To top it off, it erases Shadow Volume Copies of files in order to counter one of the most viable workarounds for data recovery. As the malady evolves, it gets better at evading AVs and assumes improved characteristics to keep IT experts from analyzing it in a virtual machine environment.
Ultimately, everyone is much better off focusing on ransomware prevention. The easiest and most worthwhile tips to protect yourself against this epidemic are as follows: don’t click on spam attachments, keep your firewall enabled at all times, apply software patches and antimalware updates once they are available, and of course back up the most valuable files.
Revise your security status
Post-factum assessment of the accuracy component in malware removal scenarios is a great habit that prevents the comeback of harmful code or replication of its unattended fractions. Make sure you are good to go by running an additional safety checkup.
- Petya ransomware removal and system recovery (upd. June 27)
- Sorebrect ransomware – fileless malware exploits PsExec utility
- Remove MOLE02 ransomware virus and decrypt .mole02 files (upd. June 15)
- Erebus ransomware infects Linux web servers in South Korea
- Decrypt .master ransomware files – BTCWare virus variant