0

Locky Ransomeware

The security researchers have recently discovered a new malware named as “lucky” which encrypt files of the victims and asked payment in bitcoin for the key to decrypt files. This malware is installed to root user’s machine through word documents.

Security researchers Kevin Beaumont and Lawrence Abrams each wrote an analysis of Locky, detailing how locky installs itself and its components. An attacker sends document carrying malware which  arrives in an e-mail of victim that claims to be delivering as an invoice (with a subject line that includes an apparently random invoice number starting with the letter J). When the document is opened, if Office macros are turned on in Word, then the malware installation begins. If not, the victim sees blocks of garbled text in the Word document below the text, “Enable macro if the data encoding is incorrect”—and then infects the system if the user follows that instruction. Locky Ransomware uses AES to encrypt Local Files and Unmapped Network Shares.

Locky already spread in different countries from USA, Russia, Germany, Ukraine and other countries.

  • United States
  • Russian Federation
  • Germany
  • Ukraine
  • 26 Other

How Locky Ransomware Spread

Invoice Mail

Details

Email:

Series of generic virus spam invoice emails claims to have a file attached regarding a bill.

Attached .doc downloads malware.

These emails are NOT coming from anyone stated in the email.

 


 

Subject: Invoice 

 Dear Sir/Madam,

 I trust this email finds you well,

 Please see attached file regarding clients recent bill. 
 Should you need further assistances lease feel free to email us.

 Best Regards,

 Yesenia Mccormick
 Joy Global Inc.     www.joyglobal.com

  Invoice97574978.doc (59)

These emails pretend to come from a large list of corporations :

Alleghany Corporation		www.alleghany.com
AutoNation, Inc.		www.autonation.com
Auto-Owners Insurance Group	www.auto-owners.com
Baker Hughes Incorporated	www.bakerhughes.com
Centene Corporation		www.centene.com
C. H. Robinson Worldwide, Inc.	www.chrobinson.com
Dean Foods Company		www.deanfoods.com
Dollar General Corporation	www.dollargeneral.com
Harbinger Group Inc.		www.harbingergroupinc.com
Health Net, Inc.		www.healthnet.com
Hormel Foods Corporation	www.hormelfoods.com
Jabil Circuit, Inc.		www.jabil.com
Joy Global Inc.			www.joyglobal.com
Kohl's Corporation		www.kohlscorporation.com
Level 3 Communications, Inc.	www.level3.com
Live Nation Entertainment, Inc.	www.livenation.com
Massachusetts Mutual Life Ins.	www.massmutual.com
MRC Global Inc.			www.mrcglobal.com
Murphy USA Inc.			corporate.murphyusa.com
Navistar International Corp.	www.navistar.com
NCR Corporation			www.ncr.com
Oaktree Capital Group, LLC	www.oaktreecapital.com
Southwest Airlines Co.		www.southwest.com
Tech Data Corporation		www.techdata.com
Textron Inc.			www.textron.com
The Southern Company		www.southerncompany.com
Xcel Energy Inc.		www.xcelenergy.com

Header Examples:

18 February 2016

Spoofs or just uses random junk in the From headers and Envelope From headers. In some cases, the RDNS or hostname of the sending computer is used in the fake headers.

Subject lines are in UTF-8 format.

Received: from 66-43-168-181.fibertel.com.ar [181.168.43.66]
   X-Envelope-From: SchroederChad42887@fibertel.com.ar
   From: Chad Schroeder <SchroederChad42887@fibertel.com.ar>
   Subject: =?UTF-8?B?SW52b2ljZQ==?=
     ascii subject : Invoice

Received: from cable-89-216-143-89.dynamic.sbb.rs [89.216.143.89]
   X-Envelope-From: VelazquezMaxine3114@sbb.rs
   From: Maxine Velazquez <VelazquezMaxine3114@sbb.rs>
   Subject: =?UTF-8?B?SW52b2ljZQ==?=
     ascii subject : Invoice

Received: from 93-51-221-254.ip268.fastwebnet.it [93.51.221.254]
   X-Envelope-From: MccormickYesenia508@unident.no
   From: Yesenia Mccormick <MccormickYesenia508@unident.no>
   Subject: =?UTF-8?B?SW52b2ljZQ==?=
     ascii subject : Invoice

Received: from 95-42-5-225.btc-net.bg [95.42.5.225]
   X-Envelope-From: TillmanCarmella03@95-42-5-225.btc-net.bg
   From: Carmella Tillman <TillmanCarmella03@95-42-5-225.btc-net.bg>
   Subject: =?UTF-8?B?SW52b2ljZQ==?=
     ascii subject : Invoice

Received: from 46-10-192-15.btc-net.bg [46.10.192.15]
   X-Envelope-From: RhodesDesiree231@marioenilla.com
   From: Desiree Rhodes <RhodesDesiree231@marioenilla.com>
   Subject: =?UTF-8?B?SW52b2ljZQ==?=
     ascii subject : Invoice

Received: from ipservice-092-211-032-210.092.211.pools.vodafone-ip.de [92.211.40.195]
   X-Envelope-From: SheltonRachael44@rioft.com
   From: Rachael Shelton <SheltonRachael44@rioft.com>
   Subject: =?UTF-8?B?SW52b2ljZQ==?=
     ascii subject : Invoice

Malware

18 February 2016

Attachment : malicious .doc with macro with various names :

File names like :

Invoice21558495.doc
Invoice21905318.doc
Invoice24428692.doc
Invoice28544526.doc
Invoice31092267.doc
Invoice31418407.doc
Invoice33373938.doc
Invoice56958998.doc

VirusTotal report | malwr.com report

There are several versions of this .doc file which download malware from places like :

http://onigirigohan.web.fc2.com/1/1.exe
http://killerjeff.free.fr/2/2.exe
http://uponor.otistores.com/3/3.exe
http://premium34.tmweb.ru/4/4.exe
http://bebikiask.bc00.info/5/5.exe
http://test.rinzo.biz/6/6.exe
http://avp-mech.ru/7/7.exe

Interestingly these docs download the exe files by POST request instead of get. The macro is using WinHttp.WinHttpRequest for the http request and takes place above Fiddler Proxy’s visibility.

Also, each executable is different. Which is nice.

Today’s previous run of Locky ransomware from .xls files also downloaded from :

http://tramviet.vn/system/logs/7647gd7b43f43.exe
http://cms.insviluppo.net/images/slides/7647gd7b43f43.exe
http://neways-eurasia.com.ua/system/logs/7647gd7b43f43.exe

 

Downloaded executable ( “Locky” ransomware )

The downloaded executables now have various file names like 1.exe or 7647gd7b43f43.exe

VirusTotal report | malwr report | Sample also available at BlueLiv Sandbox.

Also :

Creates a copy at :

user\AppData\Local\Temp\svchost.exe

Conducts a series of HTTP POSTs :

http://31.41.47.37/main.php

Deletes all shadow copies, preventing rolling back :

vssadmin.exe Delete Shadows /All /Quiet

This url was also in memory :

http://195.154.241.208/main.php

Encrypted files were renamed to 32 hexadecimal chars and appended with .locky such as :

E51C4E6F5100B3DB0DF8A6972EC1B38D.locky

A ransom note is dropped in each affected directory called :

_Locky_recover_instructions.txt

… Containing text like :

            !!! IMPORTANT INFORMATION !!!!

All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
    http://en.wikipedia.org/wiki/RSA_(cryptosystem)
    http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Decrypting of your files is only possible with the private key and decrypt program, 
 which is on our secret server.

To receive your private key follow one of the links:

1. http://6dtxgqam4crv6rr6.tor2web.org/...
2. http://6dtxgqam4crv6rr6.onion.to/...
3. http://6dtxgqam4crv6rr6.onion.cab/...
4. http://6dtxgqam4crv6rr6.onion.link/...

If all of this addresses are not available, follow these steps:
    1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
    2. After a successful installation, run the browser and wait for initialization.
    3. Type in the address bar: 6dtxgqam4crv6rr6.onion/...
    4. Follow the instructions on the site.

!!! Your personal identification ID: ... !!!

The wallpaper also gets set to the ransom note :

Picture of Locky ransomware note.

The ransom payment page through a tor2web gateway looks like :

Locky ransom website.

The Bitcoin wallet address for this incident was :

1FTaYtcYpP6joR6yCeXjPQYFcR4cUFSUcQ

Recovery

To recover your files you need to look for backups. If your backups are network based, you may have a problem as these may also be ransomed.

Identifying infected network users

If you see .locky extension files appearing on your network shares, look up the file owner on _Locky_recover_instructions.txt file in each folder. This will tell you the infected user. Lock their AD user and computer account immediately and boot them off the network — you will likely have to rebuild their PC from scratch.

Prevention

It is strongly recommend to look into securing Microsoft Office in your environment. You can do this with half an hours work — if you fail to do this step, you will keep getting hit.

Manish Dangol

Leave a Reply

Your email address will not be published. Required fields are marked *