Locky
Aliases |
|
---|---|
Type | Trojan |
Subtype | Ransomware |
Author(s) | Necurs |
Locky is ransomware malware released in 2016. It is delivered by email (that was allegedly an invoice requiring payment) with an attached Microsoft Word document that contains malicious macros.[1] When the user opens the document, it appears to be full of garbage, and it includes the phrase "Enable macro if data encoding is incorrect," a social engineering technique. If the user does enable macros, the macros then save and run a binary file that downloads the actual encryption trojan, which will encrypt all files that match particular extensions. Filenames are converted to a unique 16 letter and number combination with the .locky file extension.[2][3] After encryption, a message (displayed on the user's desktop) instructs them to download the Tor browser and visit a specific criminal-operated Web site for further information. The Web site contain instructions that demand a payment of between 0.5 and 1 bitcoin (as of 22 November 2016 one bitcoin can be exchanged for 691.83 Euro via a bitcoin exchange). Since the criminals possess the private key and the remote servers are controlled by them, the victims are motivated to pay to decrypt their files.[4][5]
Operation
The most commonly reported mechanism of infection involves receiving an email with a Microsoft Word document attachment that contains the code. The document is gibberish, and prompts the user to enable macros to view the document. Enabling macros and opening the document launch the Locky virus.[6] Once the virus is launched, it loads into the memory of the users system, encrypts documents as hash.locky files, installs .bmp and .txt files, and can encrypt network files that the user has access to.[7] This has been a different route than most ransomware since it uses macros and attachments to spread rather than being installed by a Trojan or using a previous exploit.[8]
Updates
On June 22, 2016, Necurs released a new version of Locky with a new loader component, which includes several detection-avoiding techniques, such as detecting whether it is running within a virtual machine or within a physical machine, and relocation of instruction code.[9][10] The second version of Locky, called Odin, was presented in the end of September. As the name of this virus suggests, it appends .odin extension to each of affected files and requires 0.5 bitcoin from its victims who want to get the decryption key. The ransomware spreads as "Receipt [random characters]" email attachment.[11] Another version of Locky was released in October that appends .thor file extensions. It is being spread with JS and VBS attachments and employs an encrypted DLL Installer.[12]
Prevalence
Locky is reported to have been sent to about a half-million users on February 16, 2016, and for the period immediately after the attackers increased their distribution to millions of users.[13] Despite the newer version, Google Trend data indicates that infections have dropped off around June 2016.[14]
Notable incidents
On February 18, 2016, the Hollywood Presbyterian Medical Center paid a $17,000 bitcoin ransom for the decryption key for patient data.[15] The Hospital was infected by the delivery of an email attachment disguised as a Microsoft Word invoice.[16] This has led to increased fear and knowledge about ransomware in general and has brought ransomware into public spotlight once again. There appears to be a trend in ransomware being used to attack hospitals and it appears to be growing. [17]
On May 31, Necurs went dormant, perhaps due to a glitch in the C&C server. According to Softpedia, there were less spam emails with Locky or Dridex attached to it. On June 22, however, MalwareTech discovered Necurs's bots consistently polled the DGA until a C&C server replied with a digitally signed response. This signified Necurs was no longer dormant. The cybercriminal group also started sending a very large quantity of spam emails with new and improved versions of Locky and Dridex attached to them, as well as a new message and zipped JavaScript code in the emails.[10][18]
Spam email vector
An example message with Locky as an attachment is the following:
Dear (random name):
Please find attached our invoice for services rendered and additional disbursements in the above-mentioned matter.
Hoping the above to your satisfaction, we remain
Sincerely,
(random name)
(random title)
References
- ↑ Sean Gallagher (February 17, 2016). ""Locky" crypto-ransomware rides in on malicious Word document macro". arstechnica.
- ↑ "Locky Ransomware [Updated]".
- ↑ "locky ransomware". Retrieved 26 July 2016.
- ↑ "locky-ransomware-what-you-need-to-know". Retrieved 26 July 2016.
- ↑ "locky ransomware". Retrieved 26 July 2016.
- ↑ Paul Ducklin (February 17, 2016). "Locky ransomware: What you need to know". Naked Security.
- ↑ Kevin Beaumont (February 17, 2016). "Locky ransomeware virus spreading via Word documents".
- ↑ Krishnan, Rakesh. "How Just Opening an MS Word Doc Can Hijack Every File On Your System". Retrieved 30 November 2016.
- ↑ "Necurs Botnet Resurfaces With Updated Locky and Dridex Versions". Bitcoinist. Retrieved 27 June 2016.
- 1 2 Spring, Tom. "Necurs Botnet is Back, Updated With Smarter Locky Variant". Kaspersky Lab ZAO. Retrieved 27 June 2016.
- ↑ "Latest versions of Locky use receipt-looking attachment". 2spyware. Retrieved 3 November 2016.
- ↑ "Locky creates .thor extensions". SureShot Software. Retrieved 27 October 2016.
- ↑ "locky ransomware threats". Retrieved 26 July 2016.
- ↑ "Google Trends". Google Trends. Retrieved 2016-08-14.
- ↑ Richard Winton (February 18, 2016). "Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating". LA Times.
- ↑ Jessica Davis (February 26, 2016). "Meet the most recent cybersecurity threat: Locky". Healthcare IT News.
- ↑ Krishnan, Rakesh. "Ransomware attacks on Hospitals put Patients at Risk". Retrieved 30 November 2016.
- ↑ Loeb, Larry. "Necurs Botnet Comes Back From the Dead". Security Intelligence. Retrieved 27 June 2016.