In February 2016, the Internet was shaken by an epidemic caused by the new ransomware Trojan Locky (detected by Kaspersky Lab products as Trojan-Ransom.Win32.Locky). The Trojan has been actively propagating up to the present day. Kaspersky Lab products have reported attempts to infect users with the Trojan in 114 countries around the world.

Analysis of the samples has shown that this Trojan is a brand new ransomware threat, written from scratch. So, what is Locky, and how can we protect against it?

Propagation

In order to spread the Trojan, cybercriminals sent out mass mailings with malicious loaders attached to spam messages.

Initially, the malicious spam messages contained an attached DOC file with a macro that downloaded the Locky Trojan from a remote server and executed it.

An early-stage spam message with a malicious document attached

A fragment of the malicious macro

Kaspersky Lab products detect files with malicious macros as Trojan-Downloader.MSWord.Agent and HEUR:Trojan-Downloader.Script.Generic.

We should note that in modern versions of Microsoft Office, automatic execution of macros is disabled for security reasons. However, practice shows that users often enable macros manually, even in documents from unknown sources, which may lead to some damaging consequences.

At the time of writing, the malicious spam is still being sent, but instead of the DOC files being attached there are now ZIP archives containing one or more obfuscated scripts in JavaScript. The messages are mostly in English, though some bilingual variants have appeared.

Spam message in English with the archive attached

Message in German and English with the archive attached

The user is prompted to manually launch the scripts.

Contents of the archive attached to the message

Fragment of the archived script

When launched, the script downloads the Locky Trojan from a remote server and launches it.

Kaspersky Lab products detect these script loaders as Trojan-Downloader.JS.Agent and HEUR:Trojan-Downloader.Script.Generic.

Geography of attacks

Kaspersky Security Network has reported Locky attacks in 114 countries.

TOP 10 countries

Country Number of users attacked France 469 Germany 340 India 267 USA 224 Republic of South Africa 182 Italy 171 Mexico 159 Brazil 156 China 126 Vietnam 107

We should note that these statistics only include cases where the actual Trojan was detected, and does not include early-stage detections reported as malicious spam or malicious downloaders.

The geography of Trojan-Ransom.Win32.Locky attacks (number of attacked users)

As we can see, the Trojan carries out attacks in practically all regions of the world. We can assume which countries the cybercriminals see as their main targets based on the list of languages used on the ransom payment webpage (see details below).

How it works

The Locky Trojan is an executable file, about 100 kb in size. It is written in C++ using STL, and is compiled in Microsoft Visual Studio. When launching, it copies itself to %TEMP%\svchost.exe and deletes the NTFS data stream Zone.Identifier from its copy – this is done to ensure that when the file is launched, Windows does not display a notification saying that the file has been downloaded from the Internet and may be potentially dangerous. The Trojan then launches from %TEMP%.

Once launched, the Trojan checks for the presence and the contents of the below registry keys.

Path Type Value HKEY_CURRENT_USER\Software\Locky\id REG_SZ Infection ID HKEY_CURRENT_USER\Software\Locky\pubkey REG_BINARY Public RSA key in MSBLOB format HKEY_CURRENT_USER\Software\Locky\paytext REG_BINARY Text shown to the victim HKEY_CURRENT_USER\Software\Locky\completed REG_DWORD Status (whether encryption is completed)

If data already exists in the registry keys (this is the case if the Trojan has launched before, but its previous session aborted for some reason), Locky reads that data and continues with the infection process.

If launched for the first time, the Trojan performs the following actions:

Contacts C&C and reports infection; Receives a public RSA-2048 key and infection ID from C&C, saves them in the registry; Sends information about the language of the infected operating system, receives the cybercriminals’ ransom demand text that will be shown to the victim, saves the text in the registry; Searches for files with specific extensions on local disk drives, encrypts them; Deletes shadow copies of files; Registers itself for autostart (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run); Searches for and encrypts files with specific extensions on network drives and on network file resources with no assigned drive letter; Displays the cybercriminals’ ransom demands to the victim; Terminates its process and removes itself.

Fragment of code that determines the language of the operating system

File encryption

The Trojan searches for files matching a given list of extensions. Then, these files are encrypted as described below.

List of file extensions that are subject to encryption

For each file that matches an extension on the list, the Trojan generates a new 128-bit key and encrypts the file’s contents with the algorithm AES-128 in CTR mode. The encrypted file is given the name <16 HEX characters as ID><16 random HEX characters>.locky. Then the following structure is added to the end of the file:

Structure appended by the Trojan to the end of an encrypted file

In C language syntax, this structure may be described as follows:

struct file_data { uint32_t start_marker; //Structure start marker = 0x8956FE93 char id[16]; //Infection ID uint8_t aes_key[256]; //AES key encrypted with RSA-2048 uint32_t name_marker; //Name start marker encrypted with AES (= 0xD41BA12A after decryption) uint8_t orig_name[520]; //Original file name encrypted with AES WIN32_FILE_ATTRIBUTE_DATA attr; //Original file attributes encrypted with AES }; 1 2 3 4 5 6 7 8 9 struct file_data { uint32_t start_marker ; //Structure start marker = 0x8956FE93 char id [ 16 ] ; //Infection ID uint8_t aes_key [ 256 ] ; //AES key encrypted with RSA-2048 uint32_t name_marker ; //Name start marker encrypted with AES (= 0xD41BA12A after decryption) uint8_t orig_name [ 520 ] ; //Original file name encrypted with AES WIN32_FILE_ATTRIBUTE_DATA attr ; //Original file attributes encrypted with AES } ;

Appended structure described in C language syntax

Ransom demands

After encrypting the user’s files, the Trojan displays the following message with the cybercriminals’ ransom demands.

Ransom demand in English

Ransom demand in German

The ransom message contains the address of the cybercriminals’ ‘secret server’ where they placed information about the ransom they demand for the decryption program. All four links in the message lead to the same website in the Tor network.

During the early spamming campaigns, the ransom payment page looked like this:

Early version of Locky’s ransom demand page

On this page, the cybercriminals suggested that the victims pay in bitcoins to decrypt the affected files on their computer. They also gave recommendations about where and how to get the cryptocurrency.

The contents and the design of the page changed with time. Today, the page is available in more than 20 languages (that can be selected from a dropdown list), and looks like this:

Latest version of Locky’s ransom payment page

If we look at the page’s source code, we will see a complete list of supported languages. The cybercriminals obviously see the corresponding countries as the main targets for this ransomware Trojan. Interestingly, Russian and other CIS languages are not on the list. For some reason the cybercriminals are not that keen on targeting users in countries where those languages are spoken – something that KSN statistics confirm.

List of languages supported on Locky ransom payment page

Communication with C&C

The Trojan’s code contains between one and three C&C IP addresses. On top of that, the code contains an algorithm generating new C&C addresses (DGA, domain generation algorithm) depending on the current day, month and year. With this algorithm, six C&C addresses are generated each day. The pseudo-code to illustrate the DGA Locky algorithm is highlighted in the screenshot below.

Pseudo-code of Locky C&C domain generation algorithm

Communication with a C&C is performed using the HTTP protocol. The Trojan sends a POST request to an address with the format http://<cnc_url>/main.php; the transmitted data is encrypted with a simple symmetric algorithm.

Let’s have a look at the possible types of transmitted parameters.

Notification about infection and request for key.

id=<infection id>

&act=getkey&affid=<partner id contained in the Trojan’s body>

&lang=<language of the operating system>

&corp=<whether the OS is a corporate OS>

&serv=<whether the OS is a server OS>

&os=<OS version>

&sp=<version of OS service pack>

&x64=<whether the OS is 32- or 64-bit> Judging by the affid parameter, Locky is distributed via an affiliate, or partnership, program. Sending list of encrypted paths.

id=<infection id>

&act=report&data=<list of paths> For each disk drive it has handled, the Trojan sends the C&C a list of all paths to all encrypted files. Sending statistics for each handled disk drive.

id=<infection id>

&act=stats&path=<path>

&encrypted=<number of files encrypted>

&failed=<number of errors>

&length=<total size of encrypted files>

It should be noted that the cybercriminal collects very detailed statistics for each infection. Other ransomware families that we analyzed earlier were not this thorough at collecting statistics.

Countermeasures

Kaspersky Lab products protect against the Locky ransomware Trojan at all stages of the attack:

The anti-spam module detects emails sent by the Trojan’s distributors;

Script loaders are detected by static and heuristic signatures of email and file antivirus with the verdicts Trojan-Downloader.MSWord.Agent, Trojan-Downloader.JS.Agent, HEUR:Trojan-Downloader.Script.Generic;

The Trojan’s executable file is detected by file antivirus signatures as Trojan-Ransom.Win32.Locky;

Unknown samples of Locky are proactively detected by the System Watcher module with the verdict PDM:Trojan.Win32.Generic.

Preventing infections

Locky is a typical ransomware Trojan, and it exhibits no major differences from other ransomware families in its internal arrangement or its principles of operation. However, it caught the attention of researchers because it was so active and so widespread. According to KSN data, Kaspersky Lab products have blocked Locky attacks in over 100 countries around the world – no other ransomware Trojan to date has attacked so many countries at once.

To protect yourself from this ransomware Trojan, follow these preventive measures:

Do not open attachments in emails from senders you don’t know;

Back up your files on a regular basis and store the backup copies on removable storage media or in cloud storages – not on your computer;

Regularly run updates for your antivirus databases, operating system and other software installed on your computer;

Create a separate network folder for each user when managing access to shared network folders.

For more detailed information about protection from ransomware Trojans, please follow this link.