Locky

Locky targets Windows OS and its attack vector mimics that of the notorious banking Trojan, Dridex. It is distributed via phishing emails containing Word documents embedded with a malicious macro. If the victim opens the attachment and enables the macros to run, Locky downloads to the victim’s system and begins encrypting various files including pictures, videos, source code, and Microsoft Office files, changing the extension to .locky, .zepto, or .odin when finished. Additionally, Locky encrypts files on mounted devices and accessible network shares. In a unique twist, Locky even encrypts Bitcoin wallet files, if present on the infected system, to give victims holding a large Bitcoin balance added incentive to pay the ransom. Lastly, it deletes Shadow Volume Copies to prevent file recovery. The Locky campaign went dark between June 1 and June 21, 2016 but has since resurfaced. It now includes anti-analysis and sandbox evasion features and tries to collect unpaid debts from victims.

UPDATE 7/20/2016: Locky now has the ability to encrypt files even if the infected system is offline and the ransomware cannot connect to its C2 server. This new feature allows Locky to be effective even if network firewalls prevent outbound connection attempts. 

UPDATE 8/26/2016: Locky is now being delivered and executed as a DLL file rather than an EXE file in order to bypass executable blockers.

UPDATE 9/6/2016: Locky is now delivered with an embedded RSA key, eliminating the need to contact its C2 server to encrypt files.

UPDATE 10/24/2016: A new version of Locky has surfaced appending .sh*t (expletive removed) to the names of encrypted files. It is currently being distributed via phishing emails with the subject line of Receipt ###-### containing malicious hypertext application (HTA), JavaScript (JS), or Windows Script File (WSF) attachments. After encrypting files using AES encryption, it displays ransom notes named _WHAT_is.html, _[2_digit_number]_WHAT_is.html, and _WHAT_is.bmp.

UPDATE 10/25/2016: Another new version of Locky has begun appending .thor to the names of encrypted files and renaming those files using the following naming convention: first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].thor. It is currently being distributed via phishing emails with the subject line of Budget forecast that contain a ZIP attachment named budget_xls_[random_chars].zip. This ZIP file contains a malicious VBS file.

UPDATE 11/21/2016 Part 1: Locky was discovered being distributed via Facebook’s instant messaging platform, Messenger, by way of the Nemucod Trojan. It is delivered through an SVG image file which, currently, bypasses Facebook whitelisting. These SVG images are XML-based and allow dynamic content. Once the SVG image is clicked, the JavaScript code contained within it redirects the user to a spoofed YouTube website which prompts the victim to install a codec presented as a browser extension in order to play the video. This installation allows for Locky to further spread and install on the device.

UPDATE 11/21/2016 Part 2: A new Locky campaign is being distributed via emails masquerading as ISP complaint notices. These notices state that spam had been detected originating from the victim’s system. This Locky version appends .aesir to encrypted file names and renames the files in the following format: first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].aesir.

UPDATE 11/24/2016: A new Locky campaign is being distributed via emails masquerading as order receipts. It scrambles the name of encrypted files and appends .zzzzz to end of it.

UPDATE 11/25/2016: Locky is now exploiting LinkedIn vulnerabilities to spread and is masquerading as image files with unusual extensions such as SVG, JS, and HTA. Researchers suggest it may be related to the campaign that began on 11/21/2016 via the Facebook Messenger platform.

UPDATE 12/6/2016: A new version appends .osiris to encrypted files.

UPDATE 4/21/2017: After a period of inactivity, Locky has been detected in a new spam campaign powered by the Necurs botnet. These spam emails contain malicious PDF and Word documents. It continues to append .osiris to encrypted files.

UPDATE 8/9/2017: A new spam campaign has been detected delivering a new version of Locky, dubbed Diablo6, as it appends .diablo6 to the names of encrpted files and drops a ransom note named diablo6-[4 random characters].htm. These spam emails are delivered with a ZIP file attached that contains a VBS downloader script. This script is designed to download the ransomware executable to the %Temp% folder and launch it from there. It demands a ransom payment of .49 Bitcoin. This version cannot be decrypted for free. IoCs associated with this campaign can be found on Ghostbin here.

UPDATE 8/16/2017: Another new version, dubbed Lukitus, is being distributed via malicious spam with subject lines containing No Subject or Emailing-CSI-034183_MB_S_7727518b6bab2. These emails deliver either ZIP or RAR file attachments that contain malicious JavaScript files designed to download the ransomware from a remote server if opened. During the encryption process, it changes the names of the targeted files to hexadecimal characters and appends the extension .lukitus. This version of Locky then deletes its own executable along with Shadow Volume Copies and drops ransom notes named lukitus.htm and lukitus.bmp. The ransom payment demand is .49 Bitcoin. This version cannot be decrypted for free at this time.

UPDATE 8/31/2017: One Locky campaign, known as Locky affiliate 5, employs an anti-sandbox feature. Instead of launching when the victim enables macros on a malicious document, this version of Locky waits until the victim closes the document before it starts PowerShell and begins its encryption routine. In addition, two more campaigns associated with Locky affiliate 3 were discovered sending emails masquerading as Dropbox account verification requests and infecting victims using HoeflerText popups in Chrome and Firefox browsers.

UPDATE 9/1/2017: AppRiver, an email security firm, detected a massive Locky malspam campaign that distributed 23 million malicious emails within a 24-hour period. The attack was detected on August 28. The emails included subject lines such as: please print, documents, photo, images, scans, and pictures.

UPDATE 9/18/2017: A new version appends .ykcol to the names of encrypted files.

UPDATE 9/19/2017: A global spam campaign is distributing both Locky and GlobeImposter (also known as FakeGlobe) and rotates the variants hosted on the malicious URL so that, potentially, a victim could be infected twice.

UPDATE 10/10/2017: A new version of Locky appends .asasin to the names of encrypted files. This version is distributed via an aggressive email campaign and demands a ransom payment of .25 Bitcoin. It is not possible to decrypt this version for free.

  • Sophos Labs provides more information about Locky here.

  • FireEye provides more information about the most recent Locky campaign here.

  • Bitdefender Labs has created a free Locky infection prevention tool, or “vaccine,” available here.

  • A number of security researchers reported on the resurrection of the Necurs botnet and the resurgence of Locky. The number of domains and IP addresses used as either ransomware distribution platforms or C2 servers is reportedly growing daily. The rapid growth of the botnet coupled with the malware’s newly incorporated obfuscation techniques sets the stage for a potentially large impact to the state of New Jersey and the US. (MalwareTechMalcat! Mew!)

  • Comprehensive IoC lists for the new Locky campaign can be found via AlienVault and ReaQta.

  • The NJCCC is not aware of any decryption tools available for Locky.