Locky

Locky targets Windows OS and its attack vector mimics that of the notorious banking Trojan, Dridex. It is distributed via phishing emails containing Word documents embedded with a malicious macro. If the victim opens the attachment and enables the macros to run, Locky downloads to the victim’s system and begins encrypting various files including pictures, videos, source code, and Microsoft Office files, changing the extension to .locky, .zepto, or .odin when finished. Additionally, Locky encrypts files on mounted devices and accessible network shares. In a unique twist, Locky even encrypts Bitcoin wallet files, if present on the infected system, to give victims holding a large Bitcoin balance added incentive to pay the ransom. Lastly, it deletes Shadow Volume Copies to prevent file recovery. The Locky campaign went dark between June 1 and June 21, 2016 but has since resurfaced. It now includes anti-analysis and sandbox evasion features and tries to collect unpaid debts from victims.

UPDATE 7/20/2016: Locky now has the ability to encrypt files even if the infected system is offline and the ransomware cannot connect to its C2 server. This new feature allows Locky to be effective even if network firewalls prevent outbound connection attempts. 

UPDATE 8/26/2016: Locky is now being delivered and executed as a DLL file rather than an EXE file in order to bypass executable blockers.

UPDATE 9/6/2016: Locky is now delivered with an embedded RSA key, eliminating the need to contact its C2 server to encrypt files.

UPDATE 10/24/2016: A new version of Locky has surfaced appending .sh*t (expletive removed) to the names of encrypted files. It is currently being distributed via phishing emails with the subject line of Receipt ###-### containing malicious hypertext application (HTA), JavaScript (JS), or Windows Script File (WSF) attachments. After encrypting files using AES encryption, it displays ransom notes named _WHAT_is.html, _[2_digit_number]_WHAT_is.html, and _WHAT_is.bmp.

UPDATE 10/25/2016: Another new version of Locky has begun appending .thor to the names of encrypted files and renaming those files using the following naming convention: first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].thor. It is currently being distributed via phishing emails with the subject line of Budget forecast that contain a ZIP attachment named budget_xls_[random_chars].zip. This ZIP file contains a malicious VBS file.

UPDATE 11/21/2016 Part 1: Locky was discovered being distributed via Facebook’s instant messaging platform, Messenger, by way of the Nemucod Trojan. It is delivered through an SVG image file which, currently, bypasses Facebook whitelisting. These SVG images are XML-based and allow dynamic content. Once the SVG image is clicked, the JavaScript code contained within it redirects the user to a spoofed YouTube website which prompts the victim to install a codec presented as a browser extension in order to play the video. This installation allows for Locky to further spread and install on the device.

UPDATE 11/21/2016 Part 2: A new Locky campaign is being distributed via emails masquerading as ISP complaint notices. These notices state that spam had been detected originating from the victim’s system. This Locky version appends .aesir to encrypted file names and renames the files in the following format: first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].aesir.

UPDATE 11/24/2016: A new Locky campaign is being distributed via emails masquerading as order receipts. It scrambles the name of encrypted files and appends .zzzzz to end of it.

UPDATE 11/25/2016: Locky is now exploiting LinkedIn vulnerabilities to spread and is masquerading as image files with unusual extensions such as SVG, JS, and HTA. Researchers suggest it may be related to the campaign that began on 11/21/2016 via the Facebook Messenger platform.

UPDATE 12/6/2016: A new version appends .osiris to encrypted files.

UPDATE 4/21/2017: After a period of inactivity, Locky has been detected in a new spam campaign powered by the Necurs botnet. These spam emails contain malicious PDF and Word documents. It continues to append .osiris to encrypted files.

  • Sophos Labs provides more information about Locky here.

  • FireEye provides more information about the most recent Locky campaign here.

  • Bitdefender Labs has created a free Locky infection prevention tool, or “vaccine,” available here.

  • A number of security researchers reported on the resurrection of the Necurs botnet and the resurgence of Locky. The number of domains and IP addresses used as either ransomware distribution platforms or C2 servers is reportedly growing daily. The rapid growth of the botnet coupled with the malware’s newly incorporated obfuscation techniques sets the stage for a potentially large impact to the state of New Jersey and the US. (MalwareTechMalcat! Mew!)

  • Comprehensive IoC lists for the new Locky campaign can be found via AlienVault and ReaQta.

  • The NJCCC is not aware of any decryption tools available for Locky.