There are ransomware samples out there whose devs cannot boast professional data encryption practices, which has allowed researchers to create workarounds for decrypting hostage files. Some examples include the Globe, DXXD, DMA Locker, and 7ev3n strains. On the other hand, there are ransom Trojans like Locky, which cripple victims’ files beyond recovery. In that case, the only viable way to recover is to cough up a specific amount of cryptocurrency being extorted. Although this perpetrating program was discovered back in February 2016, it is still uncrackable nine months after.
In order to be a moving target for security analysts, Locky is regularly updated. A total of five versions have been released up till now, each one featuring enhanced features to prevent reverse-engineering of the code and more robust crypto implementations. This article provides a comprehensive report on all variants of the Locky ransomware to date.
The newsmaking emergence
When the first edition of Locky surfaced, security experts shortly found that its distribution relied on an ill-famed botnet called Necurs. Cybercriminals had leveraged this particular botnet earlier to spread Dridex, a Trojan that steals victims’ e-banking credentials and other sensitive data. Furthermore, the operators of Locky even borrowed the same infection chain. The ransomware payload arrived with phishing emails pretending to be an invoice. The attached Microsoft Word document prompted the recipients to activate macros, which triggered the execution of the malicious routine on the computer.
Upon intrusion, Locky version 1 would scan the hard disk, removable drives and mapped network shares for the user’s personal files. Everything detected in the course of this data scouring was subject to strong encryption. The ransomware used two different cryptosystems to deny the availability of files, namely RSA-2048 and AES-128. Filenames would change as well, morphing into unrecognizable entities similar to 7185F1FG7823F1F53N94DBB58671A345.locky. These were strings consisting of 32 hexadecimal chars followed by the .locky extension.
The ransomware also added ransom notes called “_Locky_recover_instructions.txt” to encoded folders and the machine’s desktop. It also changed the desktop background to a pre-designed image holding the same recovery instructions, including the user’s personal ID. According to these, the victim had to visit a site called the Locky Decryptor Page and use further details on it to submit 0.5 Bitcoins to the criminals. At that point, this sample stood out from the crowd because its code had no apparent flaws and the cryptographic facet was immaculate.
Offline encryption experiments of the Zepto variant
Locky version 2 went live at the beginning of August 2016. It combined deep-level tweaks with external adjustments made to the original infection. This edition concatenated the .zepto extension to one’s encrypted files, which is why the security community called it this way. As opposed to its precursor, the updated ransomware modified filenames according to a new pattern. Specifically, it replaced them with the same number of characters (32) but broke the strings down into five parts with hyphens linking them. For instance, a random affected file assumed a form like this: 015DBF10-32D2-FNI4-F058-F286E992B714.zepto.
A new set of ransom manuals is another change included in the Zepto release. A combo of files called “_HELP_instructions.html” and “_HELP_instructions.bmp” took over the previous “_Locky_recover_instructions.txt” note. The structure of these help documents remained the same. Another invariable thing was the desktop background, which reflected the preliminary recovery steps just like before.
What did undergo an alteration, though, was the encryption method leveraged by some affiliates of the Locky hoax. The bad guys tried their hand at applying a cipher without requesting a public crypto key from a Command and Control server. When in this mode dubbed “autopilot”, the infection could do its filthy data scrambling job without being detected by firewalls and antimalware suites, which may identify suspicious traffic between an offending program and its C2 page. However, this technique had some shortcomings for the attackers. The main one is that it became impossible to track the number of ransomware installations, so the statistics weren’t as informative.
The proliferation method used to infect computers with Zepto was no longer backed by macros exploitation. Instead, the extortionists leveraged spam emails with ZIP archives that contained JS or WSF files. These malicious entities would be masqueraded as invoices, receipts, CVs or cancellation requests. Once a user clicked on them, the bad scripts would stealthily install the ransomware onto the system.
Locky version 3: a step back cryptography-wise
When it seemed that Locky operators were up to switching to offline encryption irrevocably, the third “Odin” variant proved the opposite. The criminals in charge reversed to the use of Command and Control servers for secret keys. It’s hard to say for sure why this move backward happened. Some researchers speculate that the black hats couldn’t tolerate the fact that the distribution statistics were incomplete. This edition appeared in late September, about two months after its forerunner Zepto emerged.
Along with downgrading the file encoding principle, Locky developers made a few more changes to their program. It appended the .odin tail to every skewed file. Filenames got renamed according to the same pattern that the Odin spinoff used. Victims learned the recovery steps from ransom manuals now named “_HOWDO_text.html” and “_HOWDO_text.bmp”. The ransom was still payable in Bitcoins and amounted to 0.5 BTC. To submit it, the infected users had to visit the already familiar Locky Decryptor page.
The short-lived “Shit” version
Looking back at the fourth edition of Locky, it’s not clear whether it was a joke or a failed spinoff. This one was “>discovered in late October. Its main distinguishing property was the .shit extension being added to the names of encrypted files. The ransom instructions were provided through documents called “_WHAT_is.html” and “_WHAT_is.bmp”. So much for the external modifications.
The propagation methodology exhibited a clear-cut focus on the spam vector. By leveraging a large botnet, the perpetrators launched a massive spam campaign that generated thousands of rogue emails on a daily basis. These emails were intended to dupe people into opening a malicious attachment that came in the form of a JS, WSF or HTA file enclosed within a ZIP archive. A significant change regarding the data encoding part of the modus operandi was that this variant switched back to the “autopilot” mode. The malefactors have been, obviously, trying to strike a golden mean between code obfuscation and stats tracking, so they keep experimenting with offline crypto.
Thor, another evil character in the Locky saga
It took Locky devs a record-breaking time span of under 24 hours to switch from the .shit extension variant to a new edition. The successor uses the .thor string to label one’s affected files. The crooks leverage an encrypted DLL installer to execute the ransomware on computers. The configuration file contains a number of interesting hard-coded parameters. One of them instructs the infection to cease an attack if it discovers that the target system uses Russian as the default interface language. Furthermore, almost half of the Command and Control servers are located in Russia. These may be indicators of the criminals’ origin.
The Thor iteration transforms one’s documents, images, databases, videos and other personal files into entries like ST8DRHBA-FG1M-XG4S-00F9-0B9157A80190.thor. Consequently, not only is it impossible to open them due to cryptographic changes, but it’s also unfeasible to work out what specific objects have been encoded. The ransomware drops decryption help files called “_WHAT_is.html/.bmp”. As before, these manuals, along with a warning wallpaper on the desktop, tell the victim to follow one of several available Tor links and thus visit the Locky Decryptor page.
The size of the ransom is still 0.5 Bitcoins, or about 350 USD. Overall, the use of digital cash is an immutable trend with online extortionists, because it helps them stay on the loose due to its inherent anonymity attributes. If the rest of the attack technicalities, including the data encryption process, are implemented immaculately, a ransomware sample is double trouble. Unfortunately, all of Locky’s spinoffs are like that.
The Aesir descendant of Locky
The next interjacent strain of the Locky epidemic continues the Norse mythology theme, where Aesir denotes a pantheon of warrior gods. In ransomware terms, this word serves as the new extension being subjoined to one’s encrypted files. This variant replaces the name of a random scrambled entry with hexadecimal characters according to the following pattern: [8_chars]-[4_chars]-[4_chars]-[4_chars]-[12_chars].aesir. Compared to the previous Locky spinoff, the renaming template is identical except for the extension.
The Aesir edition proliferates over email spam and a fairly uncommon Facebook phishing trick. The former method mainly relies on phony messages with the subject “Spam mailout” that misinform a victim of suspicious activity allegedly emanating from their address. The attachment, which is claimed to be the contents and logging of these purported spam messages, will execute the ransomware as soon as the unsuspecting recipient opens it. The distribution campaign on Facebook revolves around a malicious .svg image file that’s sent to users over Facebook’s Instant Messaging system.
The ransom notes created by the Aesir variant convey the same instructions as before. Their names, however, have been changed to -INSTRUCTION.html, _[random_number]-INSTRUCTION.html, and -INSTRUCTION.bmp. The desktop background with a warning message didn’t undergo any tweaks. Unfortunately, one more thing that the .aesir file ransomware edition has inherited from its forerunners is professional crypto. It is therefore still uncrackable, so users should be on the lookout for spam received over email or via social networking sites.
New derivative using the .zzzzz extension
The first spam wave disseminating the .zzzzz file variant of Locky was spotted on November 24, 2016. Most of these rogue emails were camouflaged as order receipts and ISP complaints. The social engineering component of the latter theme was based on purported violations of an Internet Service Provider’s terms of service through spam traffic allegedly emanating from the recipient’s computer. This is irony of a sort – actual spam emails accusing users of sending spam. Strangely enough, it works.
Just like the previous version, the Zzzzz alias of Locky scrambles filenames using randomly generated hexadecimal characters. Furthermore, it sticks with the same ransom note names, which are -INSTRUCTION.html, _[random_number]-INSTRUCTION.html, and -INSTRUCTION.bmp. On the outside, the only conspicuous change is the .zzzzz file extension. Another cross-version common denominator is that the InfoSec community is still helpless when it comes to decrypting Locky-mutilated data.
Mythology theme revived in the Osiris variant
Having stepped away from the mythological version-naming paradigm for a while, Locky devs opted back in. The .osiris file edition of the ransomware was out on December 5, 2016. It brought about several novel things as compared to the Zzzzz predecessor. First of all, the .osiris extension makes a whole lot more sense in the overall Locky family context. Secondly, the new iteration leaves a different set of ransom manuals, namely OSIRIS-[4_chars].htm and OSIRIS.bmp. The BMP file replaces the victim’s original desktop wallpaper.
The filename tweaking principle underwent a noticeable modification, too. The ransomware substitutes the initial filenames with 36 hexadecimal characters, whereas the precursors would use 32. Moreover, the five groups of these characters are now separated by double dashes rather than single ones. It’s hard to say why this particular change took place, but it’s certainly a distinguishing feature of the Osiris spinoff.
One more thing that makes this edition stand out from the crowd is the unusual spam campaign distributing it. The outlaws in charge are dispersing emails with tricky Microsoft Excel documents on board. These are wrongfully claimed to be invoices, so the targeted people may get curious to see what’s inside. The spreadsheet turns out to be blank, with a security warning at the top recommending the user to enable Excel macros. By clicking the “Enable Content” button on the alert, the unsuspecting recipient triggers a macro that downloads the Osiris payload and runs it on the computer.
Unfortunately, the threat actors are tech-savvy enough to deploy the cryptographic part of their attacks immaculately, so researchers are yet to create a free decryptor. If there are no file backups available, those who fall victim to the Osiris ransomware may have to pay 0.5 Bitcoins to the malefactors.
When it comes to the Locky ransomware campaign, the security community is confronted with a skilled and very tech-savvy adversary. There are no weak links in the way this infection encodes data. To top it off, it erases Shadow Volume Copies of files in order to counter one of the most viable workarounds for data recovery. As the malady evolves, it gets better at evading AVs and assumes improved characteristics to keep IT experts from analyzing it in a virtual machine environment.
Ultimately, everyone is much better off focusing on ransomware prevention. The easiest and most worthwhile tips to protect yourself against this epidemic are as follows: don’t click on spam attachments, keep your firewall enabled at all times, apply software patches and antimalware updates once they are available, and of course back up the most valuable files.