Locky

Last updated
Locky
Aliases
Type Trojan
Subtype Ransomware
Author(s) Necurs

Locky is ransomware malware released in 2016. It is delivered by email (that is allegedly an invoice requiring payment) with an attached Microsoft Word document that contains malicious macros. [1] When the user opens the document, it appears to be full of gibberish, and includes the phrase "Enable macro if data encoding is incorrect," a social engineering technique. If the user does enable macros, they save and run a binary file that downloads the actual encryption Trojan, which will encrypt all files that match particular extensions. Filenames are converted to a unique 16 letter and number combination. Initially, only the .locky file extension was used for these encrypted files. Subsequently, other file extensions have been used, including .zepto, .odin, .aesir, .thor, and .zzzzz. After encryption, a message (displayed on the user's desktop) instructs them to download the Tor browser and visit a specific criminal-operated Web site for further information.

Contents

The website contains instructions that demand a ransom payment between 0.5 and 1 bitcoin (as of November 2017, one bitcoin varies in value between $9,000 and $10,000 via a bitcoin exchange). Since the criminals possess the private key and the remote servers are controlled by them, the victims are motivated to pay to decrypt their files. [2] [3] [4] Cryptocurrencies are very difficult to trace and are highly portable. [5]

Encrypted File Encrypted file.png
Encrypted File

Operation

The most commonly reported mechanism of infection involves receiving an email with a Microsoft Word document attachment that contains the code. The document is gibberish, and prompts the user to enable macros to view the document. Enabling macros and opening the document launch the Locky virus. [6] Once the virus is launched, it loads into the memory of the users system, encrypts documents as hash.locky files, installs .bmp and .txt files, and can encrypt network files that the user has access to. [7] This has been a different route than most ransomware since it uses macros and attachments to spread rather than being installed by a Trojan or using a previous exploit. [8]

Updates

On June 22, 2016, Necurs released a new version of Locky with a new loader component, which includes several detection-avoiding techniques, such as detecting whether it is running within a virtual machine or within a physical machine, and relocation of instruction code. [9]

Since Locky was released there have been numerous variants released that used different extensions for encrypted files. Many of these extensions are named after gods of Norse and Egyptian mythology. When first released, the extension used for encrypted files was .Locky. Other versions utilized the .zepto, .odin, .shit, .thor, .aesir, and .zzzzz extensions for encrypted files. The current version, released in December 2016, utilizes the .osiris extension for encrypted files. [10]

Distribution methods

Many different distribution methods for Locky have been used since the ransomware was released. These distribution methods include exploit kits, [11] Word and Excel attachments with malicious macros, [12] DOCM attachments, [13] and zipped JS attachments. [14]

The general consensus among security experts to protect yourself from ransomware, including Locky, is to keep your installed programs updated and to only open attachments from known senders.

Encryption

The Locky uses RSA-2048 + AES-128 cipher with ECB mode to encrypt files. Keys are generated on the server side, making manual decryption impossible, and Locky ransomware can encrypt files on all fixed drives, removable drives, network and RAM disk drives. [15]

Prevalence

Locky is reported to have been sent to about a half-million users on February 16, 2016, and for the period immediately after the attackers increased their distribution to millions of users. [16] Despite the newer version, Google Trend data indicates that infections have dropped off around June 2016. [17]

Notable incidents

On February 18, 2016, the Hollywood Presbyterian Medical Center paid a $17,000 ransom in the form of bitcoins for the decryption key for patient data. [18] The hospital was infected by the delivery of an email attachment disguised as a Microsoft Word invoice. [19] This has led to increased fear and knowledge about ransomware in general and has brought ransomware into public spotlight once again. There appears to be a trend in ransomware being used to attack hospitals and it appears to be growing. [20]

On May 31, Necurs went dormant, perhaps due to a glitch in the C&C server.[ citation needed ][ original research? ] According to Softpedia, there were less spam emails with Locky or Dridex attached to it. On June 22, however, MalwareTech discovered Necurs's bots consistently polled the DGA until a C&C server replied with a digitally signed response. This signified Necurs was no longer dormant. The cybercriminal group also started sending a very large quantity of spam emails with new and improved versions of Locky and Dridex attached to them, as well as a new message and zipped JavaScript code in the emails. [9] [21]

In Spring 2016, the Dartford Grammar School and Dartford Science & Technology College computers were infected with the virus. In both schools, a student had opened an infected email which quickly spread and encrypted many school files. The virus stayed on the computer for several weeks. Eventually, they managed to remove the virus by using System Restore for all of the computers.

Spam email vector

An example message with Locky as an attachment is the following:

Dear (random name):

Please find attached our invoice for services rendered and additional disbursements in the above-mentioned matter.

Hoping the above to your satisfaction, we remain

Sincerely,

(random name)

(random title)

Related Research Articles

<span class="mw-page-title-main">Malware</span> Malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

In computing terminology, a macro virus is a virus that is written in a macro language: a programming language which is embedded inside a software application. Some applications, such as Microsoft Office, Excel, PowerPoint allow macro programs to be embedded in documents such that the macros are run automatically when the document is opened, and this provides a distinct mechanism by which malicious computer instructions can spread. This is one reason it can be dangerous to open unexpected attachments in e-mails. Many antivirus programs can detect macro viruses; however, the macro virus' behavior can still be difficult to detect.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">ESET</span> Slovak internet security company

ESET, s.r.o., is a Slovak software company specializing in cybersecurity. ESET's security products are made in Europe and provide security software in over 200 countries and territories worldwide, and its software is localized into more than 30 languages.

<span class="mw-page-title-main">Ransomware</span> Malicious software used in ransom demands

Ransomware is a type of cryptovirological malware that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Cryptovirology refers to the use of cryptography to devise particularly powerful malware, such as ransomware and asymmetric backdoors. Traditionally, cryptography and its applications are defensive in nature, and provide privacy, authentication, and security to users. Cryptovirology employs a twist on cryptography, showing that it can also be used offensively. It can be used to mount extortion based attacks that cause loss of access to information, loss of confidentiality, and information leakage, tasks which cryptography typically prevents.

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

<span class="mw-page-title-main">Malvertising</span> Use of online advertisement or advertising to spread malware

Malvertising is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'."

The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.

TeslaCrypt was a ransomware trojan. It is now defunct, and its master key was released by the developers.

Linux.Encoder is considered to be the first ransomware Trojan targeting computers running Linux. There are additional variants of this Trojan that target other Unix and Unix-like systems. Discovered on November 5, 2015, by Dr. Web, this malware affected at least tens of Linux users.

<span class="mw-page-title-main">KeRanger</span>

KeRanger is a ransomware trojan horse targeting computers running macOS. Discovered on March 4, 2016, by Palo Alto Networks, it affected more than 7,000 Mac users.

Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

The Necurs botnet is a distributor of many pieces of malware, most notably Locky.

Numbered Panda is a cyber espionage group believed to be linked with the Chinese military. The group typically targets organizations in East Asia. These organizations include, but are not limited to, media outlets, high-tech companies, and governments. Numbered Panda is believed to have been operating since 2009. However, the group is also credited with a 2012 data breach at the New York Times. One of the group's typical techniques is to send PDF files loaded with malware via spear phishing campaigns. The decoy documents are typically written in traditional Chinese, which is widely used in Taiwan, and the targets are largely associated with Taiwanese interests. Numbered Panda appears to be actively seeking out cybersecurity research relating to the malware they use. After an Arbor Networks report on the group, FireEye noticed a change in the group's techniques to avoid future detection.

Emotet is a malware strain and a cybercrime operation believed to be based in Ukraine. The malware, also known as Heodo, was first detected in 2014 and deemed one of the most prevalent threats of the decade. In 2021, the servers used for Emotet were disrupted through global police action in Germany and Ukraine and brought under the control of law enforcement.

<span class="mw-page-title-main">Hitler-Ransomware</span> Form of ransomware

Hitler-Ransomware, or Hitler-Ransonware [sic], is a form of ransomware created in 2016 originating in Germany. It requests payment within one hour; otherwise, it will delete files from the infected computer.

<span class="mw-page-title-main">Jigsaw (ransomware)</span> Encrypting ransomware created in 2016

Jigsaw is a form of encrypting ransomware malware created in 2016. It was initially titled "BitcoinBlackmailer", but later came to be known as "Jigsaw" due to featuring an image of Billy the Puppet from the Saw film franchise. The malware encrypts computer files and gradually deletes them, demanding payment of a ransom to decrypt the files and halt the deletion.

<span class="mw-page-title-main">Ryuk (ransomware)</span> Type of ransomware

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

References

  1. Sean Gallagher (February 17, 2016). ""Locky" crypto-ransomware rides in on malicious Word document macro". arstechnica.
  2. "locky-ransomware-what-you-need-to-know" . Retrieved 26 July 2016.
  3. "locky ransomware". 6 April 2016. Retrieved 26 July 2016.
  4. "Locky ransomware: How this malware menace evolved in just 12 months". ZDNET. Retrieved 2023-06-22.
  5. Ryan, Matthew (2021-02-24). Ransomware Revolution: The Rise of a Prodigious Cyber Threat. Springer Nature. ISBN   978-3-030-66583-8.
  6. Paul Ducklin (February 17, 2016). "Locky ransomware: What you need to know". Naked Security.
  7. Kevin Beaumont (February 17, 2016). "Locky ransomware virus spreading via Word documents".
  8. Krishnan, Rakesh. "How Just Opening an MS Word Doc Can Hijack Every File On Your System" . Retrieved 30 November 2016.
  9. 1 2 Spring, Tom (23 June 2016). "Necurs Botnet is Back, Updated With Smarter Locky Variant". Kaspersky Lab ZAO. Retrieved 27 June 2016.
  10. "Locky Ransomware Information, Help Guide, and FAQ". BleepingComputer. Retrieved 9 May 2016.
  11. "AFRAIDGATE RIG-V FROM 81.177.140.7 SENDS "OSIRIS" VARIANT LOCKY". Malware-Traffic. Retrieved 23 December 2016.
  12. Abrams, Lawrence. "Locky Ransomware switches to Egyptian Mythology with the Osiris Extension". BleepingComputer. Retrieved 5 December 2016.
  13. "Locky Ransomware Distributed Via DOCM Attachments in Latest Email Campaigns". FireEye. Retrieved 17 August 2016.
  14. "Locky Ransomware Now Embedded in Javascript". FireEye. Retrieved 21 July 2016.
  15. "Locky ransomware" . Retrieved 8 September 2017.
  16. "locky ransomware threats". Archived from the original on 28 August 2016. Retrieved 26 July 2016.
  17. "Google Trends". Google Trends. Retrieved 2016-08-14.
  18. Richard Winton (February 18, 2016). "Hollywood hospital pays 17,000 bitcoin to hackers; FBI investigating". LA Times.
  19. Jessica Davis (February 26, 2016). "Meet the most recent cybersecurity threat: Locky". Healthcare IT News.
  20. Krishnan, Rakesh. "Ransomware attacks on Hospitals put Patients at Risk" . Retrieved 30 November 2016.
  21. Loeb, Larry. "Necurs Botnet Comes Back From the Dead". Security Intelligence. Retrieved 27 June 2016.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.