History and Evolution of the Locky Ransomware

Although Locky sounds like fun, it actually denotes one of the today’s prevalent ransomware families. Discovered in mid-February 2016, this file-encrypting epidemic proved to be sophisticated enough to fly under the radar of conventional antimalware defenses. Furthermore, the creators of this nasty infection are proficient in implementing cryptography, leveraging a data locking mechanism that security experts have yet to find a viable response for. To top it off, this plague targets healthcare institutions, telecom companies, universities and even governments, not just individual users.

Also Read: New Ransomware Asks User to Play Click Me Game while Encrypting Data

The Locky campaign is a process rather than something static. It has given rise to five distinct spinoffs during eight months of its operation, and there are probably more to come. Every new update fine-tunes the ransomware so that it can counter decryption efforts more efficiently and obfuscate its activity to evade detection. Let’s have an insight into how this strain has evolved over time.

The Rise of the Menace

The first iteration of Locky introduced a number of properties that were novel on the ransomware arena. First of all, its authors borrowed a distribution tactic from the infamous banking Trojan called Dridex. The malware-tainted downloader would arrive with phishing emails that contained a rogue invoice.

The Microsoft Word document attached to these emails recommended the recipient to enable macros. By doing so, users ran the risk of unknowingly triggering a malicious VBA (Visual Basic for Applications) script that downloaded the ransomware executable to the Temp path and launched it.

Another new thing about Locky was that it found and encrypted personal files on unmapped network shares along with mapped ones, the local drive, and removable drives if any. Therefore, even if a network path wasn’t represented as a drive letter, it was subject to scanning by the infection anyway. The ransomware applied a fusion of the symmetric AES-128 and asymmetric RSA-2048 ciphers to make the infected users’ important files inaccessible.

Locky version 1.0 completely scrambled its victims’ filenames, turning each one into a string of 32 hexadecimal characters plus the .locky extension at the end. An entry like 8469F0FE8432F4F84DCC48462F435454.locky is an example of this drastic transformation. The infection dropped ransom notes called “_Locky_recover_instructions.txt” on the desktop, which provided links to the victim’s personal decryptor page. The ransom amounted to 0.5 Bitcoin.

Also Read: The Nastiest of all Ransomware Mamba Encrypts Entire Hard Drive

Locky Version 2.0 Running on Autopilot

The second edition of Locky appeared in early August 2016. The extortionists made a number of external adjustments to their product and started leveraging a somewhat different distribution tactic. The first conspicuous tweak was the new .zepto extension that replaced .locky in the file renaming paradigm.

Similarly to its forerunner, the Zepto edition would jumble filenames to turn them into lines of 32 hex characters. However, these strings contained five blocks separated by hyphens, for instance, 034BDC22-54D4-ABD4-F065-F642E772A851.zepto. The new ransom notes were called “_HELP_instructions.html.” The Trojan would also replace the desktop background with a BMP version of the decryption manual.

The distribution mechanism underwent a change as well. The cyber crooks gave up the macros trick and switched to JS (JavaScript) or WSF (Windows Script File) installers enclosed in ZIP email attachments. The phishing emails were masqueraded as invoices, bank account reports, job offers or delivery reports.

A major enhancement in the Zepto iteration was the so-called “autopilot” feature that took effect in mid-September. It meant that the ransomware went with hard-coded RSA keys and didn’t need to obtain ones from its Command and Control server. This offline encryption principle allowed the infection to get around firewalls that could otherwise detect and block the C&C communication. Also, the crooks no longer had to set up dozens of new C2 domains daily. A downside of this approach was that it became problematic for the criminals to get real-time infection statistics.

The “Odin” Version Switches Back to C&C Mode

Having given the innovative offline encryption method a shot, Locky devs shortly abandoned it for an unknown reason. One guess is the perpetrators couldn’t do without accurate stats on the number of successful installs. Anyway, the new “Odin” spinoff discovered on September 26 was phoning home to exchange information with its Command and Control servers again.

The third edition of Locky appended the .odin extension to one’s distorted files, hence its generic name. The names of ransom notes changed to “_HOWDO_text.html (.bmp).” Whereas payload delivery still relied on phishing, the threat actors started engaging an encrypted DLL installer. This way, the ransomware became harder to detect. The ransom size didn’t change and still amounted to 0.5 Bitcoin.

Also Read: Father Kills son, commits suicide after police ransomware asked him for fine

Locky Authors Get Naughty with Version 4.0

The new .shit extension that the fourth edition of Locky appended to victims’ files reflected the true essence of the ransomware. This variant went live on October 24. A noteworthy tweak was that the ransom notes were called “_WHAT_is.html” and “_WHAT_is.bmp.” The post was delivered with spam emails containing a zipped HTA, JS or WSF file disguised as a receipt or complaint letter. Interestingly, the “Shit” edition opted for offline encryption again, with RSA keys embedded right in code.

Locky Version 5.0 Uses .Thor Extension

It took Locky makers less than 24 hours to release another version of the ransomware. Such a rapid change is an uncommon move for this family. Who knows, perhaps the bad guys felt ashamed to use a swear word for their file renaming pattern? The only substantial difference between the latest edition and its one-day-old .shit file predecessor is the new .thor extension.

This iteration has emerged in the wake of a massive increase of spam detected by security analysts. As earlier, the phishing campaign involves the paycheck, receipt, invoice, order, or wrong credit card charge themes that are likely to dupe recipients into loading the attached files. The most widespread formats of these dangerous attachments include JS, VBS, and EXE. These files are embedded in ZIP archives and may be masqueraded as regular Microsoft Office documents. The Thor variant uses the same names of ransom notes as its predecessor: “_WHAT_is.html” and “_WHAT_is.bmp.”

Also Read: “No More Ransom” Campaign Saves 2,500 Ransomware Victims, 1.3 Mil Euros

Conclusion

It’s worth mentioning that every new version of Locky is a faster-moving target for researchers. Its authors have been experimenting with offline encryption lately, where the infection can do its filthy job without connecting to external servers. This is a serious wake-up call for the security industry that needs to come up with new defenses against the evolving strain. Meanwhile, users should exercise caution with spam attachments and keep their valuable files backed up.

David Balaban

David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.