The security researchers have recently discovered a new malware named as “lucky” which encrypt files of the victims and asked payment in bitcoin for the key to decrypt files. This malware is installed to root user’s machine through word documents.
Security researchers Kevin Beaumont and Lawrence Abrams each wrote an analysis of Locky, detailing how locky installs itself and its components. An attacker sends document carrying malware which arrives in an e-mail of victim that claims to be delivering as an invoice (with a subject line that includes an apparently random invoice number starting with the letter J). When the document is opened, if Office macros are turned on in Word, then the malware installation begins. If not, the victim sees blocks of garbled text in the Word document below the text, “Enable macro if the data encoding is incorrect”—and then infects the system if the user follows that instruction. Locky Ransomware uses AES to encrypt Local Files and Unmapped Network Shares.
Locky already spread in different countries from USA, Russia, Germany, Ukraine and other countries.
- 7 United States
- 4 Russian Federation
- 4 Germany
- 3 Ukraine
How Locky Ransomware Spread
- Parent Category: Spam List
Series of generic virus spam invoice emails claims to have a file attached regarding a bill.
Attached .doc downloads malware.
These emails are NOT coming from anyone stated in the email.
Dear Sir/Madam, I trust this email finds you well, Please see attached file regarding clients recent bill. Should you need further assistances lease feel free to email us. Best Regards, Yesenia Mccormick Joy Global Inc. www.joyglobal.com Invoice97574978.doc (59)
These emails pretend to come from a large list of corporations :
Alleghany Corporation www.alleghany.com AutoNation, Inc. www.autonation.com Auto-Owners Insurance Group www.auto-owners.com Baker Hughes Incorporated www.bakerhughes.com Centene Corporation www.centene.com C. H. Robinson Worldwide, Inc. www.chrobinson.com Dean Foods Company www.deanfoods.com Dollar General Corporation www.dollargeneral.com Harbinger Group Inc. www.harbingergroupinc.com Health Net, Inc. www.healthnet.com Hormel Foods Corporation www.hormelfoods.com Jabil Circuit, Inc. www.jabil.com Joy Global Inc. www.joyglobal.com Kohl's Corporation www.kohlscorporation.com Level 3 Communications, Inc. www.level3.com Live Nation Entertainment, Inc. www.livenation.com Massachusetts Mutual Life Ins. www.massmutual.com MRC Global Inc. www.mrcglobal.com Murphy USA Inc. corporate.murphyusa.com Navistar International Corp. www.navistar.com NCR Corporation www.ncr.com Oaktree Capital Group, LLC www.oaktreecapital.com Southwest Airlines Co. www.southwest.com Tech Data Corporation www.techdata.com Textron Inc. www.textron.com The Southern Company www.southerncompany.com Xcel Energy Inc. www.xcelenergy.com
18 February 2016
Spoofs or just uses random junk in the From headers and Envelope From headers. In some cases, the RDNS or hostname of the sending computer is used in the fake headers.
Subject lines are in UTF-8 format.
Received: from 66-43-168-181.fibertel.com.ar [188.8.131.52] X-Envelope-From: SchroederChad42887@fibertel.com.ar From: Chad Schroeder <SchroederChad42887@fibertel.com.ar> Subject: =?UTF-8?B?SW52b2ljZQ==?= ascii subject : Invoice Received: from cable-89-216-143-89.dynamic.sbb.rs [184.108.40.206] X-Envelope-From: VelazquezMaxine3114@sbb.rs From: Maxine Velazquez <VelazquezMaxine3114@sbb.rs> Subject: =?UTF-8?B?SW52b2ljZQ==?= ascii subject : Invoice Received: from 93-51-221-254.ip268.fastwebnet.it [220.127.116.11] X-Envelope-From: MccormickYesenia508@unident.no From: Yesenia Mccormick <MccormickYesenia508@unident.no> Subject: =?UTF-8?B?SW52b2ljZQ==?= ascii subject : Invoice Received: from 95-42-5-225.btc-net.bg [18.104.22.168] X-Envelope-From: TillmanCarmella03@95-42-5-225.btc-net.bg From: Carmella Tillman <TillmanCarmella03@95-42-5-225.btc-net.bg> Subject: =?UTF-8?B?SW52b2ljZQ==?= ascii subject : Invoice Received: from 46-10-192-15.btc-net.bg [22.214.171.124] X-Envelope-From: RhodesDesiree231@marioenilla.com From: Desiree Rhodes <RhodesDesiree231@marioenilla.com> Subject: =?UTF-8?B?SW52b2ljZQ==?= ascii subject : Invoice Received: from ipservice-092-211-032-210.092.211.pools.vodafone-ip.de [126.96.36.199] X-Envelope-From: SheltonRachael44@rioft.com From: Rachael Shelton <SheltonRachael44@rioft.com> Subject: =?UTF-8?B?SW52b2ljZQ==?= ascii subject : Invoice
18 February 2016
Attachment : malicious .doc with macro with various names :
File names like :
Invoice21558495.doc Invoice21905318.doc Invoice24428692.doc Invoice28544526.doc Invoice31092267.doc Invoice31418407.doc Invoice33373938.doc Invoice56958998.doc
There are several versions of this .doc file which download malware from places like :
http://onigirigohan.web.fc2.com/1/1.exe http://killerjeff.free.fr/2/2.exe http://uponor.otistores.com/3/3.exe http://premium34.tmweb.ru/4/4.exe http://bebikiask.bc00.info/5/5.exe http://test.rinzo.biz/6/6.exe http://avp-mech.ru/7/7.exe
Interestingly these docs download the exe files by POST request instead of get. The macro is using WinHttp.WinHttpRequest for the http request and takes place above Fiddler Proxy’s visibility.
Also, each executable is different. Which is nice.
Today’s previous run of Locky ransomware from .xls files also downloaded from :
http://tramviet.vn/system/logs/7647gd7b43f43.exe http://cms.insviluppo.net/images/slides/7647gd7b43f43.exe http://neways-eurasia.com.ua/system/logs/7647gd7b43f43.exe
Downloaded executable ( “Locky” ransomware )
The downloaded executables now have various file names like 1.exe or 7647gd7b43f43.exe
Creates a copy at :
Conducts a series of HTTP POSTs :
Deletes all shadow copies, preventing rolling back :
vssadmin.exe Delete Shadows /All /Quiet
This url was also in memory :
Encrypted files were renamed to 32 hexadecimal chars and appended with .locky such as :
A ransom note is dropped in each affected directory called :
… Containing text like :
!!! IMPORTANT INFORMATION !!!! All of your files are encrypted with RSA-2048 and AES-128 ciphers. More information about the RSA and AES can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) http://en.wikipedia.org/wiki/Advanced_Encryption_Standard Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server. To receive your private key follow one of the links: 1. http://6dtxgqam4crv6rr6.tor2web.org/... 2. http://6dtxgqam4crv6rr6.onion.to/... 3. http://6dtxgqam4crv6rr6.onion.cab/... 4. http://6dtxgqam4crv6rr6.onion.link/... If all of this addresses are not available, follow these steps: 1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: 6dtxgqam4crv6rr6.onion/... 4. Follow the instructions on the site. !!! Your personal identification ID: ... !!!
The wallpaper also gets set to the ransom note :
The ransom payment page through a tor2web gateway looks like :
The Bitcoin wallet address for this incident was :
To recover your files you need to look for backups. If your backups are network based, you may have a problem as these may also be ransomed.
Identifying infected network users
If you see .locky extension files appearing on your network shares, look up the file owner on _Locky_recover_instructions.txt file in each folder. This will tell you the infected user. Lock their AD user and computer account immediately and boot them off the network — you will likely have to rebuild their PC from scratch.
It is strongly recommend to look into securing Microsoft Office in your environment. You can do this with half an hours work — if you fail to do this step, you will keep getting hit.