Locky ransomware still racks up victims, but not on endpoints running CylancePROTECT®

The latest headlines read like it’s the early 2000’s: users around the globe are being financially extorted and having their files held captive by ransomware. The only way to regain access to your data – which may include irreplaceable photos, videos, documents and personal files - is to buy the decryption key from the crooks using a variety of shady payment methods via the Dark Web. But the stories surrounding the Locky ransomware family are concerning for reasons that go deeper than the flashy news headlines.

We have observed several long and sustained ransomware campaigns by Locky from early February 2016 onward. Early estimates state that Locky is currently infecting over 90,000 machines a day, with the attackers asking between 0.5 to 1 Bitcoin (around $450) to unlock each machine. With no available fix or patch for a machine infected with ransomware (even the FBI has been defeated by ransomware cryptography), the problem currently seems to have no solution.

Ransomware attacks overall have proliferated in recent years. CryptoLocker alone procured an estimated $3 million before authorities acted to take it down. Cryptowall was estimated to have raked in over $18m by June 2015, with over 1,000 victims contacting the FBI’s Internet Crime Complaint Center to report infections.

For the victim, paying the ransom may seem to be the best of a set of bad options. However, even if the ransom is paid, there is no guarantee that the attackers won’t simply take the money and demand more, or just refuse to decrypt your files, period. The FBI has issued a past warning about ransomware, the top takeaways being not to pay out any money or supply any personal information to the cyber-crooks, and to report the incident to the Internet Crime Complaint Center. Even after posting this advice, the FBI goes on to caution users that ransomware can continue to operate in the background, logging keystrokes and capturing other personal information, even after professional services have cleaned and attempted to restore the machine.

Locky – the Latest in a Long Line of Ransomware

In the early days, the biggest issue with ransomware for both the attackers and the victims was shoddy and unpredictable coding. Many of the in-the-wild variations of ransomware were so poorly written that affected files were either irreversibly damaged by the encryption, or non-recoverable due to improper implementations of the encryption scheme.

Since the first identified piece of basic ransomware in 1989, the 'AIDS' Trojan which encrypted the user’s hard drive and demanded $189 to unlock it, ransomware has grown in both sophistication and in its potential to cause greater widespread devastation. Fast forward to today and we see ransomware attacks like the one on the Hollywood Medical Center, caused by an as-yet undisclosed piece of ransomware, which left the victim’s systems crippled for several weeks while the hackers demanded millions of dollars in Bitcoin to unlock medical systems containing confidential patient records and time-sensitive medical test results.



While Locky is the newest strain of ransomware to emerge to date, the basics of ransomware attacks have never changed since the early days. However, better encryption implementations and the emergence of digital crypto-currencies such as Bitcoin have ushered in a whole new wave of highly successful ransomware and associated criminal activity – after all, the key to an attacker conducting a successful ransom is a secure and untraceable payment system. The current breed of ransomware is far more prolific, predictable, stable and successful. The adversary is now able to very tightly control the post-detonation time limits, payment methodology, and spreading/infection methods. Added to that, these days we even have so-called turn-key services for non-technical folks to get in on the ransomware money-grab, such as Ransom32, Tox (defunct), and so on.



The Locky family has a few other tricks up its sleeve. For example, it directly targets and destroys local VSS data (Volume Snapshot Service, aka Shadow Copies). VSS is intended to protect the computer by providing a backup of critical system files and data. By deleting and destroying this data, Locky is able to circumvent typical recovery methods embraced by victims of other less sophisticated ransomware families such as System Restore. In addition, Locky is highly aggressive when it comes to affecting files on mapped and connected network resources. Any file on a mapped or mounted connected drive, such as internal or external backup drives, will also be encrypted. The platform of the remote network resource does not matter. If the infected Windows host has mounted or mapped shares on *NIX and/or Mac OS hosts, the files on said hosts will be encrypted.

This makes the recovery scenario even more confusing and troublesome. Even if you pay up, you’ll still need to make sure that you decrypt everything that was affected. If you have a temporary share mapped drive which was encrypted by the ransomware and you miss that on the initial decryption, you may still be unable to decrypt that drive. Worse still, if you miss the posted deadline for payment, for instance if you are on vacation when the infection hits, you may find yourself left with zero options for recovery.

Technical Details of Locky



Other technical details on Locky have been well covered to date in multiple write-ups and locations. Encryption is handled via the Windows CryptoAPI. First off, a 2048-bit RSA key is fetched from the remote/C2 server and imported by the victim host. Said RSA key is then used to encrypt the AES (128-bit) keys, which in turn are used to encrypt the files on the host. The AES keys are randomly generated and used for each encrypted file on the host. Files are encrypted based on extension, and when all is said and done, the victim is left with a host full of encrypted files and an altered desktop image with instructions on how to make payment (BTC via victim-specific .onion URL).





Delivery is handled via various email based methods including weaponized Microsoft Office documents and (more recently) malicious javascript attachments. Once a targeted user opens the email (and launches the attachment) the infection begins. Successful execution/launch of the attachment initiates C2 communication and subsequent encryption of files.

Regardless of any secondary feature that may be present (network drive encryption, VSS destruction, etc.) we must not kid ourselves that this is something new. This is the same attack scenario and result that worked for ransomware creators in the early 2000s (gpcoder and similar). This type of attack has been occurring for well over 10 years. The behavioral patterns are all the same. The programmatic results are the same. It should be a wake-up call for an industry where the 'old guard' body of traditional AV countermeasures can't seem to keep up, catch up or fully understand the regimented and well-documented chain of events that leads to the exact same result every time: well-meaning user clicks bad stuff -> bad stuff runs -> bad stuff encrypts or destroys data.

In the context of some of the victims, Locky is certainly interesting. However, this is not a novel or advanced attack technique. In this day and age, especially after seeing this pattern repeat itself time and time again, Locky should be low hanging fruit for AV software, and it should certainly still not be making news headlines and wreaking havoc on our healthcare and financial infrastructure.

CylancePROTECT vs. Locky

Whenever Cylance runs across a piece of malware like those in the Locky family, we take it as the perfect opportunity to test the efficacy of our machine learning and artificial intelligence based endpoint protection product.

Here are the details of our latest tests:

Current Delivery Method(s):

Most recently, we’ve observed Locky being delivered to victims via a phishing email with a ZIP attachment using the name “Message_from_############.wav.zip” - where the #’s represent an arbitrary number from 0 to 9. Inside the ZIP file is a small piece of Javascript, which the victim needs to double-click to deploy. If the victim clicks on the script, the Windows Scripting Host (wscript.exe) will connect to a website on the Internet, and then download and execute the Locky payload.

The Test:

Locky has been rapidly adapting their malware and tactics to continually deliver fresh payloads to unsuspecting victims. The names of the ZIP files are constantly changing and both Microsoft Word documents and ActiveMIME documents have been observed to carry the payloads previously. CylancePROTECT provides protection against both unwanted scripts and malicious macros, so the Locky infection process is terminated before an executable ever gets delivered to the system.

We took a handful of final Locky payloads that were deployed the week of March 1-8, 2016, and tested each one against CylancePROTECT:

The Results:

CylancePROTECT detected 100% of the variants using a mathematical model that was originally generated in August 2015. This means that the CylancePROTECT agent has essentially been untouched for close to 7 months. No new updates have been provided to it to help it combat the Locky samples released in March 2016.

Traditional AV’s results were scattered across the board, with some variants detected by two companies and others detected by thirty. (Bear in mind that all AV products were fully patched and updated with their most recent DATs prior to testing.)

The bottom line is that no other solution even came close to detecting and preventing EVERY SINGLE Locky sample from launching its attack. When CylancePROTECT’s performance is compared to that of traditional signature based methods, there wasn’t even a contest:

Fig. 1: Every Locky sample was quarantined by CylancePROTECT

Samples Tested:

054961abdb8609884514d375bc4e1846bf6df78487b3e525983a40eabe449ebf

0778db31d7e3259a65affc28ca1a317c67105a3fa75250b7370a5dfa70585c0c

09f8fb2f64274ab6621011acf7d058fe66fdab16a6df6f8d2dfa59ae4d019eed

0f7097b6647b6368851535e67c152f3c79aee96a6dab0a448ebc5e4c9bc59bd3

20f48e19032b23217d4da671173565607b4069912d37f4b143fea97486fba743

283b14f2fd94acf8c512609aec8e7de83f68c8adad7378214209722b2eef2fa0

32282a76a0df123cb1fe3c71bf987f00cbff2e77d79cd20aca491b30ea8cbff8

4d4710bb678dc514cafafa0b90807cc176af257dfe9505dcb7d0c2e78eaa42eb

58bc454a3a2e13da86384d387da3a64336869bb0f6a691bbb203e0e5a25319bb

604f473906eab9bfe720ce81a09651116ebd496ce4b8266b0b88da3b8332a12c

60ad6b2e454a0023a3fb093cd4c99cb39be8ff4ec6a4aa5e57beff702f5b9313

652f6b3070da5a91df67f5095abf25e5766ece96ef49d966baeea4aebdd9d313

67f1acad31314afd56c00e5b396adfffa7bfd5bb2cebc8a2163f01f351b98e79

6806fa5f2c78ca38065daf780351383831193064fc83b52c43f946258cb153be

6a35ca7adffa10141e0c287d6b8587a07f33fc07a184e2ed1981d35279a066a9

763942dc5bd1c5ae5d01761002406d7dc0cfb660519777944c9ba492e68fd2ee

7e2bf56e787cb1417515ee3fd20169352d49d3f9d3ad41850d16cc34dea848ae

7e2e08161a82564ca386c4605d384e5976cf1d24b74e88a5bb3d0bd225d9c346

85204c8081de04f07cf73b0d3ae3e9a439cfae9deee66bfddea9e0e2ca6e989d

88088d89d1f721ebf55fa02978fc9375de3326b2cc9ed2783eb2003ff52a2e53

94202c823a3c25dd9d61af19c074338b9c02b8e9da8b6d9b897cfb4c41a93b38

94292334caa637e938b81e46c440b82687ed45c0c24b9f39437cd0d8a2797d0a

96e80185f1ba2ce55e43181356996c44e056a8b2a6e09096c51d488cbfcb6ba7

9c47f2e99beae3f04b00e19c3f7fcb10f92317a476fa7b3697a61f06fbffadab

9d0bf74510303c401f19e3ee368fb37bb2d4567916c01256ff9684a791e687e5

9f7c24ef97a4007eeb6d8c4046d0362265bb0d29c90f19eed2e7423cbcb3642d

b66d3904c6cbbdedc880d9784e8b028f2d59278def689ad995c93a1b2aebbac5

bc4ec97a4faeccb68eb1cc259029f4b301dfa8734f661e2445ae5b3a5f7b55f9

c0444aed4248d81006063c0f5936f130873f7319dd7b4f07ea86ed50461531f9

c20c89b2b1db159c9481a72c210e1d7d056d3a29f0066046940acf278b69d28e

d47383641d5ca56299d498a4c6f3dcec94bd98e1b28a11d7780c615f8b2634cf

dbf6e09c1ee66ae22b9ede51e931e8da444b0b7eefc7817a9f220d8077ee2d44

ddf646e2527f4f1a8cd8904e85ca92a569a1f4d8cbdfb318746c50426df8540b

e2820a62b1f3042662a1c7cb4bc5e3d0827d0716ac9d5f18ba167a0bbf349687

e9990ccae658bcecca6a7b52251ef55b3298d9f46c55e92dea0363398b7d6c41

ebe01377fd8af1941dbf69d79269ba80d20ce0576507f0e202d88384e9d8eefe

The Bottom Line

Locky and similar families of ransomware use very predictable methods of attack and are the complete antithesis of stealth. While traditional endpoint products are scrambling to blacklist or build generic and heuristic detection well after Day Zero and countless infections, CylancePROTECT is (and always has been) able to detect and prevent execution of Locky and similar families of ransomware, using mathematical models built long before the actual malware was created.