Locky: the encryptor taking the world by storm

Contents

In February 2016, the Internet was shaken by an epidemic caused by the new ransomware Trojan Locky (detected by Kaspersky Lab products as Trojan-Ransom.Win32.Locky). The Trojan has been actively propagating up to the present day. Kaspersky Lab products have reported attempts to infect users with the Trojan in 114 countries around the world.

Analysis of the samples has shown that this Trojan is a brand new ransomware threat, written from scratch. So, what is Locky, and how can we protect against it?

Propagation

In order to spread the Trojan, cybercriminals sent out mass mailings with malicious loaders attached to spam messages.

Initially, the malicious spam messages contained an attached DOC file with a macro that downloaded the Locky Trojan from a remote server and executed it.

Locky: the encryptor taking the world by storm

An early-stage spam message with a malicious document attached

Locky: the encryptor taking the world by storm

A fragment of the malicious macro

Kaspersky Lab products detect files with malicious macros as Trojan-Downloader.MSWord.Agent and HEUR:Trojan-Downloader.Script.Generic.

We should note that in modern versions of Microsoft Office, automatic execution of macros is disabled for security reasons. However, practice shows that users often enable macros manually, even in documents from unknown sources, which may lead to some damaging consequences.

At the time of writing, the malicious spam is still being sent, but instead of the DOC files being attached there are now ZIP archives containing one or more obfuscated scripts in JavaScript. The messages are mostly in English, though some bilingual variants have appeared.

Locky: the encryptor taking the world by storm

Spam message in English with the archive attached

Locky: the encryptor taking the world by storm

Message in German and English with the archive attached

The user is prompted to manually launch the scripts.

Locky: the encryptor taking the world by storm

Contents of the archive attached to the message

Locky: the encryptor taking the world by storm

Fragment of the archived script

When launched, the script downloads the Locky Trojan from a remote server and launches it.

Kaspersky Lab products detect these script loaders as Trojan-Downloader.JS.Agent and HEUR:Trojan-Downloader.Script.Generic.

Geography of attacks

Kaspersky Security Network has reported Locky attacks in 114 countries.

TOP 10 countries

Country Number of users attacked
France 469
Germany 340
India 267
USA 224
Republic of South Africa 182
Italy 171
Mexico 159
Brazil 156
China 126
Vietnam 107

We should note that these statistics only include cases where the actual Trojan was detected, and does not include early-stage detections reported as malicious spam or malicious downloaders.

map_1_en

The geography of Trojan-Ransom.Win32.Locky attacks (number of attacked users)

As we can see, the Trojan carries out attacks in practically all regions of the world. We can assume which countries the cybercriminals see as their main targets based on the list of languages used on the ransom payment webpage (see details below).

How it works

The Locky Trojan is an executable file, about 100 kb in size. It is written in C++ using STL, and is compiled in Microsoft Visual Studio. When launching, it copies itself to %TEMP%\svchost.exe and deletes the NTFS data stream Zone.Identifier from its copy – this is done to ensure that when the file is launched, Windows does not display a notification saying that the file has been downloaded from the Internet and may be potentially dangerous. The Trojan then launches from %TEMP%.

Once launched, the Trojan checks for the presence and the contents of the below registry keys.

Path Type Value
HKEY_CURRENT_USER\Software\Locky\id REG_SZ Infection ID
HKEY_CURRENT_USER\Software\Locky\pubkey REG_BINARY Public RSA key in MSBLOB format
HKEY_CURRENT_USER\Software\Locky\paytext REG_BINARY Text shown to the victim
HKEY_CURRENT_USER\Software\Locky\completed REG_DWORD Status (whether encryption is completed)

If data already exists in the registry keys (this is the case if the Trojan has launched before, but its previous session aborted for some reason), Locky reads that data and continues with the infection process.

If launched for the first time, the Trojan performs the following actions:

  1. Contacts C&C and reports infection;
  2. Receives a public RSA-2048 key and infection ID from C&C, saves them in the registry;
  3. Sends information about the language of the infected operating system, receives the cybercriminals’ ransom demand text that will be shown to the victim, saves the text in the registry;
  4. Searches for files with specific extensions on local disk drives, encrypts them;
  5. Deletes shadow copies of files;
  6. Registers itself for autostart (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run);
  7. Searches for and encrypts files with specific extensions on network drives and on network file resources with no assigned drive letter;
  8. Displays the cybercriminals’ ransom demands to the victim;
  9. Terminates its process and removes itself.

Locky: the encryptor taking the world by storm

Fragment of code that determines the language of the operating system

File encryption

The Trojan searches for files matching a given list of extensions. Then, these files are encrypted as described below.

Locky: the encryptor taking the world by storm

List of file extensions that are subject to encryption

For each file that matches an extension on the list, the Trojan generates a new 128-bit key and encrypts the file’s contents with the algorithm AES-128 in CTR mode. The encrypted file is given the name <16 HEX characters as ID><16 random HEX characters>.locky. Then the following structure is added to the end of the file:

Locky: the encryptor taking the world by storm

Structure appended by the Trojan to the end of an encrypted file

In C language syntax, this structure may be described as follows:

Appended structure described in C language syntax

Ransom demands

After encrypting the user’s files, the Trojan displays the following message with the cybercriminals’ ransom demands.

locky_eng_11

Ransom demand in English

locky_eng_12

Ransom demand in German

The ransom message contains the address of the cybercriminals’ ‘secret server’ where they placed information about the ransom they demand for the decryption program. All four links in the message lead to the same website in the Tor network.

During the early spamming campaigns, the ransom payment page looked like this:

locky_eng_13

Early version of Locky’s ransom demand page

On this page, the cybercriminals suggested that the victims pay in bitcoins to decrypt the affected files on their computer. They also gave recommendations about where and how to get the cryptocurrency.

The contents and the design of the page changed with time. Today, the page is available in more than 20 languages (that can be selected from a dropdown list), and looks like this:

locky_eng_14

Latest version of Locky’s ransom payment page

If we look at the page’s source code, we will see a complete list of supported languages. The cybercriminals obviously see the corresponding countries as the main targets for this ransomware Trojan. Interestingly, Russian and other CIS languages are not on the list. For some reason the cybercriminals are not that keen on targeting users in countries where those languages are spoken – something that KSN statistics confirm.

locky_eng_15

List of languages supported on Locky ransom payment page

Communication with C&C

The Trojan’s code contains between one and three C&C IP addresses. On top of that, the code contains an algorithm generating new C&C addresses (DGA, domain generation algorithm) depending on the current day, month and year. With this algorithm, six C&C addresses are generated each day. The pseudo-code to illustrate the DGA Locky algorithm is highlighted in the screenshot below.

locky_eng_16

Pseudo-code of Locky C&C domain generation algorithm

Communication with a C&C is performed using the HTTP protocol. The Trojan sends a POST request to an address with the format http://<cnc_url>/main.php; the transmitted data is encrypted with a simple symmetric algorithm.

Let’s have a look at the possible types of transmitted parameters.

  1. Notification about infection and request for key.
    id=<infection id>
    &act=getkey&affid=<partner id contained in the Trojan’s body>
    &lang=<language of the operating system>
    &corp=<whether the OS is a corporate OS>
    &serv=<whether the OS is a server OS>
    &os=<OS version>
    &sp=<version of OS service pack>
    &x64=<whether the OS is 32- or 64-bit>

    Judging by the affid parameter, Locky is distributed via an affiliate, or partnership, program.

  2. Sending list of encrypted paths.
    id=<infection id>
    &act=report&data=<list of paths>

    For each disk drive it has handled, the Trojan sends the C&C a list of all paths to all encrypted files.

  3. Sending statistics for each handled disk drive.
    id=<infection id>
    &act=stats&path=<path>
    &encrypted=<number of files encrypted>
    &failed=<number of errors>
    &length=<total size of encrypted files>

It should be noted that the cybercriminal collects very detailed statistics for each infection. Other ransomware families that we analyzed earlier were not this thorough at collecting statistics.

Countermeasures

Kaspersky Lab products protect against the Locky ransomware Trojan at all stages of the attack:

  • The anti-spam module detects emails sent by the Trojan’s distributors;
  • Script loaders are detected by static and heuristic signatures of email and file antivirus with the verdicts Trojan-Downloader.MSWord.Agent, Trojan-Downloader.JS.Agent, HEUR:Trojan-Downloader.Script.Generic;
  • The Trojan’s executable file is detected by file antivirus signatures as Trojan-Ransom.Win32.Locky;
  • Unknown samples of Locky are proactively detected by the System Watcher module with the verdict PDM:Trojan.Win32.Generic.

Preventing infections

Locky is a typical ransomware Trojan, and it exhibits no major differences from other ransomware families in its internal arrangement or its principles of operation. However, it caught the attention of researchers because it was so active and so widespread. According to KSN data, Kaspersky Lab products have blocked Locky attacks in over 100 countries around the world – no other ransomware Trojan to date has attacked so many countries at once.

To protect yourself from this ransomware Trojan, follow these preventive measures:

  • Do not open attachments in emails from senders you don’t know;
  • Back up your files on a regular basis and store the backup copies on removable storage media or in cloud storages – not on your computer;
  • Regularly run updates for your antivirus databases, operating system and other software installed on your computer;
  • Create a separate network folder for each user when managing access to shared network folders.

For more detailed information about protection from ransomware Trojans, please follow this link.

get-the-guide-640x60

Related Posts

There are 26 comments
  1. Martin

    This is always interesting articles.

    I’m really curious on the registry keys, if I create a rule that delete thoses key on creation, what will be the reaction of locky ?

    Thanks,

    1. Roopi

      these measures are not really practical in any sense. they are ‘cool’ as they would put our RE skills to test. but that’s really as far as it goes. If you are worried you or your users might be the future target of such ransomwares, you should invest in a proper solution.

  2. Andrew

    In total, how many infection attempts has the KSN reported todate from this ransonware ?

    1. Ido

      About a 150 daily infections.

      1. Andrew

        Are you part of the Kaspersky team ?

        I’ve been seeing all sorts of figures (some very high) with regards to infection rate. Just wanted to get some hard figures from what KSN has logged so far.

  3. Linh

    I’m an victim of the Locky virus. All of word files and excel files are encrypted to locky file…however, i have forgottent backup, so can you help me decrypt those locky files to word and excel files… Thank you so much.

  4. akhil

    thank you!!!

  5. Cihan

    good day, is there any solution for .locky files ?

  6. Andrew

    Decryption available yet?

    1. Cihan

      unfo not yet.

  7. M. Avis

    i was told that the the encryption on all my files (ending in ZEPTO) is a version of Locky encryption. is this the case?

    1. M.Cihan Erdem

      yes zepto is latest version of locky ransomware and there is currently no solution.

  8. EB

    I need a solution to decrypt files attacked by zepto locky ransomware.

  9. Barry Reid

    I also need a solution to decrypt files attacked by zepto locky ransomware.

  10. Mazhar

    I also need a solution to decrypt files attacked by zepto locky ransomware.

  11. Oll

    Hello,

    I would like to know if there are any news to decrypt zepto files?

    I´d rally appreciate feedback!!!

  12. Amy

    Unfortunately, my parents’ computer has been attacked by zepto. Luckily, I have an old backup from 2014 which is almost identical to an external drive that was encrypted by Zepto, which is from the penultimate time my parents’ computer died of mysterious reasons (there are more!). Are there any tools where key-guessing could be employed using a comparison of files in the two drives? I’m looking to recover their files from late 2014-2016.

    Thanks for the article. I’m trying to get a handle on this.

  13. Joanne Zhao

    I need a solution to decrypt files attacked by odin locky ransomware.

  14. dexter23

    I’m an victim of the Locky virus. All of word files and excel files are encrypted to .odin file.

  15. Angelia

    Hi,

    My PC’s all the excel file was encrypted with *.odin extension.
    Please let me know anyway I can restore the file?

  16. jason martin

    got hit with the .thor extension. any solutions to that

    1. Tony Graziano

      Jason Martin, Our company’s server got infected with .thor as well. A careless employee clicked on an email attachment and the trojan was on his computer, but infected the srever as well. I hope there is a decryption method soon. All of our companys historical data has been encrypted.

  17. Mario

    Someone who knows that they can already be deciphered .locky, I’m waiting for a tool for my files.

    Thank yoy

  18. M.Cihan Erdem

    As known recently most of users have been infected ransomware virus which changes all important documents like (pdf,doc,docx, xls,xlsx,dwg,mp3,mp4,mpeg,avi,vb) to “.vvv, .ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc, .xxx, .ttt, .micro, .mp3, .xtbl, .cerber, .enc, .encrypted” and no extension on last version” are encrypted and not usable/readable unfortunately. I can help infected users to decrypt their files, you can contact with me with below email address if you or one of your friend had been infected this kind of virus.

    Email: mcerdem82@yahoo.com

Leave a Reply

Your email address will not be published. Required fields are marked *