Ransomware persists as one of the top crimeware threats thus far into 2016. While the use of document-based macros for ransomware distribution remains relatively uncommon, a new family calling itself “Locky” has borrowed the technique from the eminently successful Dridex to maximize its target base. We first learned of Locky through Invincea and expanded on qualifying this threat with the help of PhishMe. Locky has also gained enough traction to find its way onto Dynamoo’s Blog and Reddit.

Using Palo Alto Networks AutoFocus, Unit 42 observed over 400,000 individual sessions containing the Bartallex macro downloader, which in turned dropped Locky ransomware onto victim machines. Researchers suspect there is a link between the Dridex botnet affiliate 220 and Locky due to similar styles of distribution, overlapping filenames, and an absence of campaigns from this particularly aggressive affiliate coinciding with the initial emergence of Locky. This blog post explores this threat further and offers recommendations on mitigating its impact.

Delivery and Installation

Palo Alto Networks telemetry showed that Locky focuses primarily on e-mail delivery through massive phishing campaigns with Microsoft Word document attachments. The subjects for these malicious messages adhere to the following convention:

ATTN: Invoice_J-< 8-digits>

The naming convention of respective malicious Word document carrier files match the e-mail subject line portion after the “ATTN: “, switch the “i” in invoice to lowercase, and append a “.doc” extension. An example follows:

Subject: ATTN: Invoice J-11256978

Attachment: invoice_J-11256978.doc

Our analysis revealed that this ransomware requires command and control (C2) communication for a key exchange, prior to encrypting victim files. It performs its key exchange in memory for this process. This is interesting, as most ransomware generates a random encryption key locally on the victim host and then transmits an encrypted copy to attacker infrastructure. This also presents an actionable strategy for mitigating this generation of Locky by disrupting associated C2.

Unfortunate victims unable to mitigate this threat would see the following ransom demand.

And a subsequent visit to the referenced Locky payment portal site would reveal the following options for victims.

Threat Volume and Targeting

We observed approximately 446,000 sessions for this threat, over half of which targeted the United States (54%). For comparison, the next most impacted countries, Canada and Australia, only accounted for another nine percent combined.

Industry analysis for targeting reveals expected indiscriminant distribution within impacted countries; however, Higher Education, Wholesale and Retail, and Manufacturing make up over a third of observed targeting.

Pairing this volume with the “decryption cost” advertised for Locky victims, it is clear why ransomware in general continues to thrive in the threat landscape. Using some napkin math furnished by our friends at PhishMe, even if one assumed a 50% efficacy / infection rate for these 446,000 sessions and a 1% payment rate of 0.5 bitcoins (BTC) from victims, the currently observed activity alone yields several hundred thousands of dollars in profits for Locky’s malicious actors.

Conclusion

Locky is aiming high in an effort to join the ranks of other big name ransomware families. Despite some weaknesses in its current implementation, we can expect to see further developments for this threat in the future. Ultimately, successes experienced by one attacker group embolden and inspire others. It goes without saying that cybercrime adversaries will continue to advance efforts to commoditize the already lucrative extortion of victims through encryption-based extortion.

Defending against ransomware first requires a focus on the basics of a strong security posture: security awareness and the hardening and patching of systems. Ransomware can be especially damaging in enterprises, where this class of threat commonly targets network shares and other media attached to corporate assets. To further reduce associated risks, layered preventive controls are a must.

Palo Alto Networks customers are protected through our next-generation security platform:

WildFire successfully detects this threat as malware

AutoFocus identifies this threat under the Unit 42 “Locky” tag

The C2 domains and files mentioned in this report are blocked in our Threat Prevention product

Indicators of Compromise (IOCs)