Full Report
A few days ago I was asked to have a look at the newly emerged crypto-ransomware threat “Locky” which utilises Dridex-like Command and Control (C&C) communications techniques. For some background reading, I recommend you read the following: http://sensorstechforum.com/aes-128-encryption-employed-by-locky-ransomware/ https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/) http://www.theinquirer.net/inquirer/news/2447460/dridex-style-locky-ransomware-is-infecting-machines-via-microsoft-word It looks like a new (FEB2016) addition to the crypto-ransomware family : 1. Dirty Decrypt 2. CryptoLocker 3. CryptoWall / Cryptodefense 4. Critroni / CTB Locker 5. TorrentLocker 6. Cryptographic Locker 7. TeslaLocker 8. Locky
Analysis Summary
# Tool/Technique: Locky Ransomware
## Overview
Locky is a crypto-ransomware threat that emerged around February 2016. Its primary function is to encrypt victims' files using cryptography (typically AES-128) and demand a ransom for the decryption keys. It utilizes Command and Control (C&C) communication techniques observed in Dridex malware.
## Technical Details
- Type: Malware family (Crypto-Ransomware)
- Platform: Windows (PE executable analyzed)
- Capabilities: File encryption (AES), deletion of Volume Shadow Copies, establishment of communication with C2 servers, deployment of ransom notes, and modification of the desktop wallpaper.
- First Seen: February 2016 (FEB2016)
## MITRE ATT&CK Mapping
The primary infection vector and execution methods map to the following:
- **Initial Access (TA0001)**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Delivery via malicious MS Word document)
- **Execution (TA0002)**
- T1204 - User Execution
- T1204.002 - Malicious File
- **Defense Evasion (TA0005)**
- T1027 - Obfuscated Files or Information
- T1027.003 - Self-Obfuscation (Mention of crypter/protector used on the executable)
- **Persistence (TA0003)**
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - Registry Run Keys / Startup Folder (Implied by the creation/leaving of registry keys)
- **Impact (TA0040)**
- T1486 - Data Encrypted for Impact (Core functionality)
## Functionality
### Core Capabilities
- **Delivery:** Primarily delivered via Microsoft Word documents that leverage VBA Macros (Auto\_Open function) to execute initial payload staging.
- **Staging and Execution:** The VBA code downloads and executes a secondary payload (`r34f3345g.exe`). The executable is a packed/crypted PE file (e.g., high entropy in the .rscs section).
- **Self-Propagation/Setup:** Creates a copy of itself in `%userprofile%\AppData\Local\Temp\svchost.exe`.
- **Anti-Recovery:** Removes Volume Snapshot Service (VSS) files/shadow copies using `vssadmin.exe Delete Shadows /All /Quiet`.
- **Encryption:** Encrypts files and renames them to a 32-character hexadecimal identifier followed by the `.locky` extension (e.g., `[unique_id][identifier].locky`). Uses Cryptographic Service Providers (CSPs) via WinAPI calls: `CryptAcquireContext`, `CryptImportKey`, and `CryptEncrypt`.
- **Notification:** Leaves a ransom note file (`_Locky_recover_instructions.txt`) in encrypted directories and changes the Windows background image to display the ransom demand.
### Advanced Features
- **C2 Communication:** Utilizes Dridex-like C&C communication techniques, involving HTTP POST requests to a specific file (`main.php`) on the attacker's infrastructure. Communication likely involves iterating through a list of generated (DGA) domains or hardcoded IPs until a valid response is received.
- **Key Exchange:** Obtains an unknown obfuscated initial request, requests an RSA key from the server (presumably for encrypting the AES-ECB key used for file encryption), and reports completion back to the C2.
- **Anti-Emulation/Anti-Debugging:** Contains checks for MMX/SSE floating-point instructions, potentially to evade heuristics-based AV emulators. It also employs `INT3` instructions in a loop to halt debuggers processing the code iteratively.
## Indicators of Compromise
- File Hashes: (Note: Sample hashes provided in the article for analysis were used but are not necessary to list here unless explicitly requested, as they reflect specific samples.)
- File Names: `r34f3345g.exe` (staged executable); `svchost.exe` (dropped copy in Temp directory).
- Registry Keys: Stores information under `HKCU\Software\Locky`.
- Network Indicators: HTTP POST requests to `http://C&C IP/main.php`. Ransom demands direct victims to servers on the Tor network (Tor direct or Internet relays).
- Behavioral Indicators: Execution of `vssadmin.exe Delete Shadows /All /Quiet`; encryption process utilizing Cryptography WinAPIs; VBA Auto\_Open execution from MS Word documents.
## Associated Threat Actors
The article does not explicitly name a threat actor group but notes the malware's similarity to Dridex communications techniques.
## Detection Methods
- **Signature-based detection:** Signatures can target known file names or packer artifacts, and known C&C endpoints (if identified).
- **Behavioral detection:** Monitoring for the execution of VBA macros within MS Office documents that attempt to download or execute remote content; detecting file renaming patterns (hex ID + .locky extension); API monitoring for the sequence of Cryptography functions; monitoring for the execution of `vssadmin.exe` with delete shadow copies arguments.
- **YARA rules:** Can be crafted for specific packed structures or embedded strings within the payload.
## Mitigation Strategies
- Disabling Microsoft Office macros by default (or setting security to the highest level).
- Regular, immutable backups, isolated from the network, to mitigate impact from VSS deletion.
- Implementing robust endpoint detection and response (EDR) capable of detecting suspicious process behavior (e.g., Word spawning execution engines or system administration tools like `vssadmin`).
- Network filtering to block communication to known C&C endpoint infrastructure.
## Related Tools/Techniques
Locky is placed within the context of other crypto-ransomware families: Dirty Decrypt, CryptoLocker, CryptoWall / Cryptodefense, Critroni / CTB Locker, TorrentLocker, Cryptographic Locker, and TeslaLocker. It shares C&C mechanisms likened to **Dridex**.
**Analysis Tools Used by Researcher:** `oledump`, `ida`, `ollydbg`, `api-mon`, `process explorer`, `procmon`.