FBI Cyber Bulletin: Identification of Locky Ransomware

Identification of ransomware variant called Locky

Page Count: 4 pages
Date: July 11, 2016
Restriction: TLP Green
Originating Organization: Federal Bureau of Investigation, Cyber Division
File Type: pdf
File Size: 622,147 bytes
File Hash (SHA-256): 3E3430E75AF1E0A13E21308C475DBB58B8BDF9072C6A465D2E54D973D84D5891

Download File

The ‘Locky’ malware is a ransomware variant, which has extensively utilized spam campaigns to distribute malicious files that download and execute code capable of encrypting numerous critical file types on both local and networked file stores. Encrypted files are renamed with a unique hexadecimal filename and receive the “.locky” extension. Each directory containing encrypted files contains instructions on how to utilize Bitcoin in order to pay a ransom for file recovery, and the system’s computer background is also changed to contain payment instructions. Recovery of encrypted files is impossible without data backup or acquisition of the private key due to the well-implemented, strong encryption. Historically, while payment of the ransom may result in receipt of the valid private key, enabling decryption of the targeted files, the FBI does not recommended the victim pay the ransom.

Technical Details

In early 2016, a destructive ransomware variant, Locky, was observed infecting business computers in the United States, New Zealand, Australia, Germany, and the United Kingdom. It propagates through spam e-mails that include malicious Microsoft Office documents and JavaScript or compressed attachments (e.g., .rar, .zip). The infection vectors are similar to the Dridex banking Trojan and Pony loader. The malicious attachments contain macros or JavaScript files to download the Locky files. Locky has also been distributed via the Neutrino and Nuclear exploit kits. Locky is based on an affiliate model. The developers of Locky offer it as a service, and the FBI currently assesses that it is the responsibility of the individual affiliate to distribute the malware, resulting in the variety of attack vectors mentioned above.

The malicious Microsoft Office documents contain macros with obfuscated Visual Basic Script (VBS) and/or batch files, which result in the download and execution of the Locky executable. The malicious JavaScript files are delivered via zip files in e-mail, which results in the download and execution of the Locky executable. Once executed, Locky establishes persistence via a Run key within the registry and attempts to delete shadow copies using the vssadmin command, and encrypt user space files, such as documents, media files, archives, source code, and other critical files.

Locky communicates with a hard coded command and control server to inform the operators of a successful infection and to obtain encryption keys and a unique victim identifier. Additionally, Locky contains a domain generation algorithm, which will generate additional domains for communication with the command and control infrastructure. Network requests typically include http POSTs to files, such as main.php, submit.php, or most recently, userinfo.php, and updated Locky variants encrypt command and control communications.

An updated complete list of indicators for known domains, e-mail subject lines, URLs, Hash data, and associated files is attached to this e-mail.

Recommended Steps for Prevention

  • Implement an awareness and training program. Because end users are targeted, employees and individuals should be made aware of the threat of ransomware and how it is delivered.
  • Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies, like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
  • Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
  • Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
  • Manage the use of privileged accounts. Implement the principle of least privilege: no users should be assigned administrative access unless absolutely needed; those with a need for administrator accounts should only use them when necessary.
  • Configure access controls, including file, directory, and network share permissions, with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
  • Disable macro scripts from office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full office suite applications.
  • Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.
  • Implement application whitelisting; only allow systems to execute programs known and permitted by security policy.
  • Categorize data based on organizational value, and implement physical/logical separation of networks and data for different organizational units.

Share this: