locky ransomware analysis


Latest blog post from our threat research team on how Locky works: http://www.webroot.com/blog/2016/02/22/locky-ransomware/ Locky Ransomware Analysis - Will my AV help? After all the analysis the locky ransomware was found to originate from Russia. Output intructions.txt/.bmp 4. It  creates a unique ID of the victim starting with a 16 character name at the beginning, then a .locky extension that is known for this ransomware. This line means there is more data in UserForm1.textbox 1and 2, but the data in textbox1 is base64 encoded. The simplest way to convert it to an OLE document is to open it in Word and save it as a Word document. Over 10 years we help companies reach their financial and branding goals. Researchers at Proofpoint observed that this […] Locky uses RSA and AES encryption to encrypt numerous files. You can copy this value to linux and use base64 –decode but in this instance I just used www.base64decode.org. Add startup registry keys 3. Your email address will not be published. Locky Ransomware Analysis 1. At this point I could just stop and go grab the payload and analyze it, but me being me, I want to see what the reset of the scripts are doing. For this we used OLE Dump, a great tool for analyzing and extracting data from OLE files. https://www.virustotal.com/en/file/b4f4563a23721d089518a924558c47221582c278bb7e5d040da2f0129f85df27/analysis/, January, 2015, http://blog.didierstevens.com/programs/oledump-py/, 6300 Creedmoor Rd Apparently Locky always comes back. Now we can analyze the document again. We will examine two samples. However, it caught the attention of researchers because it was so active and so widespread. There is currently no known cure for Locky’s encryption methods, and so once it gets ahold … If you take a .mht file and rename it as .doc Word will treat it the same. Unfortunately I wasn’t able to locate this value but I did locate some other interesting data. Sample1 was an older sample and I only saw DNS queries for what appeared to be DGA domains Command and Control servers(C&C). There are 3 types of local drives: fixed, removable and RAM disks. No longer merely the realm of the PC, cybercriminals have also built MAC OS ransomware, and can even target mobile devices. I went ahead and removed the access restriction on the firewall and watched the POST requests. A Brief Guide For Increasing The Security Of Your Mobile Devices, Three Basic Steps to Keep Your Computer Data Secure, Understanding the Cloud-Based Backup Service and Solutions, Tech that Saves Lives: The New Trend in Car Seat Safety, The Best Free Cleanup Software for Mac OS X, 3 Ways you can safeguard your Financial Information Online. Hit ‘Yes’ on the dialog box pertaining to the invalid key ‘DPX’ and hit ok on the next box. AboutPressCopyrightContact usCreatorsAdvertiseDevelopersTermsPrivacyPolicy & SafetyHow YouTube worksTest new features. On the Protection tab un-check ‘Lock project for viewing’ and press Ok.  Hit the save button in the Visual Basic designer and close, then save and close the document. So I went ahead and removed the VBA password from the document with a hex editor and pulled the value from Word. Locky is a type of ransomware spread via malicious .doc, .xls or zip files attached to spam emails. Once the document is downloaded, so is the ransomware. This time I look for any objects that contain UserForm1. Contextual Analysis of Locky Ransomware: According to a study, cybercriminals have started phishing assaults with ransomware, targeting multiple industries, including healthcare, gamers, and businesses. If you’re facing a Locky infection, an anti-malware program will be able to remove it along with any associated malware from your computer. Open the document in Word, go to the Developer tab and press the Visual Basic button. Once hit by ransomware, users' files are held to ransom until payment is made: Locky requires users to pay using the Bitcoin currency, which helps to hide the Locky … While a variety of new ransomware has appeared since the end of 2015, Locky ransomware stands out because it is being delivered by the same actor behind many of the Dridex malware campaigns we have tracked over the last year. If the user is exposed to a exploit kit (usually by visiting a compromised website, or by being redirected to a malicious one) and it successfully exploits the user's machine, the kit will download the ransomware and it … On the Protection tab un-check ‘Lock project for viewing’ and press Ok. Hit the save button in the Visual Basic designer and close, then save and close the document. We have recently received two samples of Locky maldoc (malicious document) ransomware from a healthcare institution. This time, it comes with hard-coded javascript A new Locky campaign appears in the wild with, experts observed million malicious email messages starting from June 20. When the child process is executed, it first checks the OS version to see if it the above vulnerability is still unpatched. Contact Us. In previous incarnations, Locky Bart used a simpler encryption process. Analysis of the Locky infection process In recent months, there has been a significant increase in the number of networks and users affected by ransomware known as Locky, discusses ESET's Diego Perez. A Locky Ransomware Analysis From A Tech Perspective. https://www.virustotal.com/en/file/61066b2684a00df194643076123493fe2c36968dce1a5931b27d17658061b149/analysis/, https://www.virustotal.com/en/file/68244d5204518ab8b7f3564577b2bcc98c8fe0ea0aee39aa5518ffb5cf2689dc/analysis/, https://malwr.com/analysis/ODcwYjY5NTE4NWVhNGZiNWE3ZmEzOGJkMTQ3NjgzNmY/, https://www.virustotal.com/en/file/4503ec0e1217e899c9ba808571305e44fdf1e6d7125b04e4bf351e831d93e25f/analysis/. The decrypter can be found here. This line means there is more data in UserForm1.textbox 1and 2, but the data in textbox1 is base64 encoded. While analyzing the Word documents, it was discovered that the file format was actually a .mht Web Archive or a single file web page, and not an OLE Word document. Locky ransomware attack targets mainly small businesses. If that is the case, the svchost.exe is hit with malicious APCs to connect back to the C&C server and download the Locky ransomware. Truly, no one is exempt. Locky is known to arrive via spam e-mails containing malicious attachments. I also fired up the debugger to see if I could recover the value used to encrypt the HTTP traffic. A Closer Look at the Locky Poser, PyLocky Ransomware. When looking into Locky, we can see all top features, such as a time-based DGA system, huge spam email campaigns, various scripting languages, generic PE packers, server-side encryption key generation and Tor/BitCoin payment. This was actually a customer testing the DG Agent against Locky. I started by looking at stream 11: ./oledump.py –s 11 –v. Once communication is established with the C&C server an RSA encryption key is transferred to the victim and stored in the ‘pubkey’ value of registry key ‘HKCU\Software\Locky’. Now you have full access to the scripts and forms. It is important to keep track of and understand these changes in order to ensure that security solutions stay relevant and customers are protected. A persistent threat, Locky ransomware apparently has no plans of disappearing anytime soon. In late July and throughout August, we observed waves of spam email delivering the PyLocky ransomware. So what does Locky ransomware usually attack? This enables us to keep the site up and running. Ransomware is a devastating piece of malware that encrypts important files on an infected computer and demands ransom to decrypt the files. Moreover, this ransomware changes your desktop wallpaper with a message prompting you to pay a ransom in exchange for the recovery key. What attackers generally do is to use different names and attachments in every malicious e-mail, in order to dodge detection by security products. A LOCKY RANSOMWARE ANALYSIS FROM A TECH PERSPECTIVE. Does It Work? First, you need an analysis environment in-place t... Ring Ø Labs: https://RingZeroLabs.com How do you get started in #Malware Analysis and #ReverseEngineering? Best defense is to keep recent backups of your system and registry. For this we used OLE Dump, a great tool for analyzing and extracting data from OLE files. This time I look for any objects that contain UserForm1. We’re looking forward to working with you! Locky Locker Ransomware – Technical Analysis Locky Locker is a virus that encrypts your files and places a .txt file, with instructions inside it, about the infected computer system. Search for DPB in a hex editor and change it to DPX then save the document. Considering there is so much about ransomware in the news and to some extent Locky, I thought I should take the opportunity to take a closer look at it to see if there is anything other than the obvious that someone may be able to do to mitigate the effects of being successfully targeted by a ransomware. Locky Ransomware Domains - Followup Analysis Uncovers 130 New Indicators. VBA macro creates file %temp%\arra.bat, 2. Russian Government May Be Utilizing Spyware To Gather Information, Knowing When Or If to Update Your computer Drivers. Your email address will not be published. Now the Visual Basic designer will open, under the project tree right click the project and open the properties. Reviewing the HTTP traffic from Sample1 and 2 I noticed the contents of the first POST request from the victim were encrypted but also that between the two samples the values were the same. Seeing how MS docs play a role in the spread of this malware, it is important to consider the risks distinctive to using macros in Microsoft office documents, and it’s ability to compromise personal or work files, or worse, an entire corporate network. 4. I tried to decode the base64 value I pulled with oledump but there was an issue with the value that was returned. Both samples arrived via email and were not detected by spam filters or antivirus when saved to the computer. The final payload is detected by Trend Micro as RANSOM_LOCKY.PUY . Locky is a typical ransomware Trojan, and it exhibits no major differences from other ransomware families in its internal arrangement or its principles of operation. Only one of the DGA C&C hosts was still accessible and the one that did accepted the POST request closed the connection. Now that we have the URL for the PE file we can go and download it. Static IP address list to communicate to the C&C servers: 185.22.67.27 – PS Internet Company LLC Network, Kazakhstan, 31.184.197.119 – Petersburg Internet Network ltd., Russian Federation, 51.254.19.227 – Webhost LLC Dmitrii Podelko, Russian Federation, 5.34.183.136 – UASERVERS NETWORK, Ukraine. Automated Behavioral Analysis of Malware. There was no Locky activity on Monday or Tuesday of this week (October 16-17, 2017). While analyzing the Word documents, it was discovered that the file format was actually a .mht Web Archive or a single file web page, and not an OLE Word document. Ransomware. We observed through dynamic analysis that it uses the same technique of Locky ransomware to decode the main payload, spawning the process through wScript with the argument ‘321’, otherwise, the decryption routine will produce junk code and the execution flow will jump into that junk code and crash the process. As expected the script is obfuscated, but while reviewing the script one line stood out. It is very important that users be informed about the trends in cyber security and computer crime, most especially the effects of ransomware and other threats. Unfortunately, there are no tools yet capable of decrypting files affected by this malware. Please be aware that we may use cookies to ensure that we give you the best experience on our website. This demo uses a sample of the Locky ransomware deployed on a physical endpoint in a secure lab environment running Digital Guardian. This is a list of OS ‘s that are targeted by the malware: Locky is a relatively new player to the ransomware scene but it appears to be on par with functionality of current ransomware families. Everything on this site comes highly recommended and we stand behind everything we write. Suite 170 #213 Locky ransomware is currently a big player in the malware sphere. To confirm if the system is infected with locky ransomware – there would be a ransom text shown on desktop wallpaper or comes as a text file. These files contains macros which would look like scrambled text. Quick Heal Security Labs is observing the infamous Locky ransomware outbreak which kicked off recently in the last week of September. Overview. We presume they took that time weaponizing this DDE feature in order to deliver today’s attacks. The outbreak started with spam email with various subjects and different attachment names. Echo’s the script contents to the dasdee.vbs script, 3.3.1.      dasdee.vbs performs a GET request to the http address passed in parameter %0% and saves the response to the location in parameter %1%. I started testing by changing the network for the VM so it was contained on its own network and blocked all outbound requests except for DNS on the perimeter firewall. Analysis of recent Locky ransomware outbreak. Locky came into the limelight when it hit the Hollywood Hospital last month causing the hospital to pay Bitcoins worth $17,000 in ransom. The Locky Bart binary also uses a … These files contains macros which would look like scrambled text. Proofpoint researchers have discovered a new ransomware named "Locky" being distributed via MS Word documents with malicious macros. Unit 42 has written a Python script that will recursively seek out .locky files on a victim machine and restore them to their original state. A new ransomware has been discovered called Locky that encrypts your data using AES encryption and then demands .5 bitcoins to decrypt your files. Please notify us earlier, if you're interested in priority analysis (details below). Locky Bart ransomware and backend server analysis Analysis of Locky Bart’s binary. Locky ransomware starts up again its illegal activity of stealing money from their victims after a temporary inactivity since the end of May. The Locky ransomware was first spotted in the wild in February 2016. We’ll know in this Locky ransomware analysis. Only one of the DGA C&C hosts was still accessible and the one that did accepted the POST request closed the connection. After Locky has finished encrypting the victim’s files, it will display a ransom note in the form of text and bitmap set as the victim’s wallpaper. Hi there - yes you can disable the software from loading on... Bill Gordon has been writing on tech and malware subjects for 6 years and has been working in the internet and tech industry for over 15 years. We’re looking forward to working with you! Streams with an uppercase ‘M’ are the more interesting VBA Macros. 5. Simply fire up your antivirus software and let it do its job. Locky creates the registry key ‘HKCU\Software\Locky’ and sets the following values: If Locky is executed from outside of %TEMP%, it copies itself to %TEMP% as svchost.exe and removes the original file. Once communication was established the malware only communicated with that host. One thing to note that sometimes to download the file you will need to match the Agent string in the script. Open the document in Word, go to the Developer tab and press the Visual Basic button. I went ahead and removed the access restriction on the firewall and watched the POST requests. Sample2, a newer sample, immediately tried to access a list of hardcoded IP addresses and sent a POST request. Delete Volume Shadow copies 2. Raleigh, NC. 3.4. Once the document is downloaded, so is the ransomware. Locky has caused issues recently when it was used to attack Hollywood Presbyterian Medical Center during February 2016 where it claimed nearly 400,000 victims in the very first week of its detection. Though the ransomware … However, we also noticed that it … Below are the steps I followed. These files will now become inaccessible. Writes decodes and writes value of textbox1 and textbox2 to arra.bat, 3.1. IRS Lawsuit Phone Scam – It Happened To Us. The process starts with a spam email which contains a fraudulent document attached to it which contains the malware. From here I was able to pull the base64 encoded value from textbox1 and did notice there was a difference. It was about this time that we first looked at Locky. A few days ago I was asked to have a look at the newly emerged crypto-ransomware threat “Locky” which utilises Dridex-like Command and Control (C&C) communications techniques. If any new details are discovered we will updated this post. Typical time of full analysis is around 36 hours per 1 Terabyte. Now that Locky has the encryption key the below steps occur. Infected files will now be encrypted and are fully renamed. It usually searches for various file types such as:  .pdf, .rar, .bat, .mpeg, .qcow2, .vmdk .tar.bz2, .djvu, .jpeg, .tiff, .class, .java, .SQLITEDB, .SQLITE3, .lay6, .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .potx, .potm, .pptx, .pptm, .xltx, .xltm, .xlsx, .xlsm .asm, .c, .cpp, .h, .png, txt, .cs, .gif, .jpg, .rtf, .xml, .zip, .asc, .xlsb, .dotm, .dotx, .docm, .docx, wallet.dat, etc. Behaved like ransomware , encrypts victims files and demands for ransom to decrypt it ⬤ 4 - High ... Download the Locky threat analysis report from McAfee Advanced Threat Defense to learn more about the threat level, behavior classification, and file execution timeline. When files are encrypted the file is renamed as such, the first 16 characters of the filename is the value stored in the ‘id’ value of registry key ‘HKCU\Software\Locky’ and the second set of 16 characters are randomly generated. This document contains macros which are enabled once the user clicks “enable content”. Locky ransomware can also be delivered as the payload of an exploit kit. Posted on April 08, 2016 by threatstopoa 2 Comments. You … Required fields are marked *. Most importantly, is to have an up-to-date, properly configured anti-virus/ anti-malware software as your first line of defense against this kind of malicious threats from damaging your systems. A LOCKY RANSOMWARE ANALYSIS FROM A TECH PERSPECTIVE. https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky The Word document VBA macro obfuscation was also different but the base64 encoded script was the same in both samples. Vulnerability trigger. They enumerated... Locky Bart Software Protection technique. The top countries hit by locky are Spain, Germany, USA, France, Italy, Great Britain, Czech Republic, Canada and Poland. The recently documented CryptFile2 [3] and MarsJoke [4] campaigns also used the same sending … Symptoms to confirm if the system is infected with Locky Ransomware. So how does this malware really works? Also with the amount of data that appears to be reported to the C&C servers, if filenames are reported in either the ‘path’ or ‘encrypted’ HTTP properties and those filenames contain PHI, an infection could be considered a breach. Analysis 1. Note that removing ransomware will not decrypt and restore your files. Drives are processed in FIFO queue. After some deofuscation of the script I ended up with the following: After some additional deobfuscation on the VBA macro I combined the 3 parts to reveal full script and the actions performed. Locky is a very dangerous threat capable of infecting a variety of file formats that includes the files created by designers, developers, engineers and testers. What Is Reimage Repair? Other instances of ransomware have also been known to borrow code from others, such as the TeslaCrypt ransomware family. I reviewed stream 10 first since it was the largest and turns out it does contain the data we are looking for. The victim will also get a web page that contains more instructions on how to make the payment. The file extension for encrypted files is always “.locky”. The bat file then executes the file save by the vbs script, deletes the vbs scripts and deletes itself. The extortionists want you to pay a ransom fee for the alleged restoration of your files. The value of textbox1 is base64 encoded and textbox2 is in plain text and does contain the URL for the payload. Now reopen the document select the Developer tab and press Macros. For some background reading, I recommend you read the following: In the Macros list select the macro you wish to view and press Edit. Hit ‘Yes’ on the dialog box pertaining to the invalid key ‘DPX’ and hit ok on the next box. http://blog.didierstevens.com/programs/oledump-py/, CBS17: Hackers targeting hospitals amid COVID-19 case surge, FBI warns, Use Windows Commands to Show Remembered Wifi Passwords, Hacking Finally Tops Healthcare Breach Causes, Writes decodes and writes value of textbox1 and textbox2 to arra.bat, Arra.bat in turn creates %tmp%\dasdee.vbs, Echo’s the script contents to the dasdee.vbs script, dasdee.vbs performs a GET request to the http address passed in parameter %0% and saves the response to the location in parameter %1%. Arra.bat in turn creates %tmp%\dasdee.vbs, 3.2. Once Locky has run and infected the files on your computer, you won’t be able to access them, and these encrypted files will be given a new file name to a unique 16 letter and digit combination with different file extensions such as .diablo6, .locky, .odin, .zepto, .aesir, .thor or .osiris. The code then executes and starts to infect your files. ... Locky has continued to come up with new tricks to avoid anti-virus analysis and coverage. PyLocky is written in Python, and packaged with PyInstaller, a tool used to package Python-based programs as standalone executables. The actual DDE code is in the word/document.xml component of the document. Between the two samples the above steps did not change, the only differences were the number of UserForm1 textboxes and the URL. Now reopen the document select the Developer tab and press Macros. Locky is a type of ransomware spread via malicious .doc, .xls or zip files attached to spam emails. He currently lives in Southern California. The bat file then executes the file save by the vbs script, deletes the vbs scripts and deletes itself. If you take a .mht file and rename it as .doc Word will treat it the same. Now the Visual Basic designer will open, under the project tree right click the project and open the properties. After full analysis, you'll get emails with invoice and link to download the recovered data. Locky NSIS-based Ransomware is Embracing Its New End of Summer Shape. Locky Ransomware Analysis - Analysing through Process Explorer Picking up from where th e last post left off, we noticed that the "Locky.exe" process exited. The message can be localized depending on the victim’s location detected in the system. Since no response was received from the C&C Server, Locky just continued to the send POST requests and never proceeded beyond that point and did not encrypt any files.