Locky – ci risiamo …

Ransomware Locky – il nuovo Cryptolocker

Un nuovo ransomware è stato scoperto e ci terrà compagnia per un po’ …Locky! that Il simpatico amico cripta i vs. file usando AES encryption e poi vi chiede .5 bitcoins per decriptare i dati. Anche se il ransomware suona con un nome simpatico, non c’è nulla di carino in lui. Intacca una grande varietà di dati e tipologie di file e può crittografare dati su condivisioni di rete mappate. La crittografia dei dati su condivisioni di rete non mappate è ormai all’ordine del giorno. Come CryptoWall, anche Locky cambia completamente i nomi dei file per i file crittografati per rendere più difficile ripristinare i dati corretti.

Ad oggi, non ci sono soluzioni conosciute per decriptare i file.

Locky si attiva attraverso false fatture … occhio!!!

Locky è attualmente distribuito via mail contenenti un documento di WORD contenente “macro” malevole. Il messagio e-mail contiene un oggetto simile a “Nome-Cognome/Ragione Sociale: bolletta per la fornitura di energia elettrica” e messaggi del tipo “Vedi allegata la fattura (Microsoft Word Document) …. “.  Eccone un esempio, con spiegazione tratta da un articolo di Lawrence Abrams:

cit.

Locky Email Distribution
Locky Email Distribution

Attached to these email messages will be a malicious Word document that contains a name similar to invoice_J-17105013.doc. When the document is opened, the text will be scrambled and the document will display a message stating that you should enable the macros if the text is unreadable.

Malicious Word Document
Malicious Word Document

Once a victim enables the macros, the macros will download an executable from a remote server and execute it.

Malicious Macro
Malicious Macro

The file that is downloaded by the macro will be stored in the %Temp% folder and executed. This executable is the Locky ransomware that when started will begin to encrypt the files on your computer.

Locky encrypts your data and completely changes the filenames

When Locky is started it will create and assign a unique 16 hexadecimal number to the victim and will look like F67091F1D24A922B. Locky will then scan all local drives and unmapped network shares for data files to encrypt. When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat

Furthermore, Locky will skip any files where the full pathname and filename contain one of the following strings:

tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, Windows

When Locky encrypts a file it will rename the file to the format [unique_id][identifier].locky.  So when test.jpg is encrypted it would be renamed to something like F67091F1D24A922B1A7FC27E19A9D9BC.locky.  The unique ID and other information will also be embedded into the end of the encrypted file.

It is important to stress that Locky will encrypt files on network shares even when they are not mapped to a local drive. As predicted, this is becoming more and more common and all system administrators should lock down all open network shared to the lowest permissions possible.

As part of the encryption process, Locky will also delete all of the Shadow Volume Copies on the machine so that they cannot be used to restore the victim’s files. Locky does this by executing the following command:

vssadmin.exe Delete Shadows /All /Quiet

In the Windows desktop and in each folder where a file was encrypted, Locky will create ransom notes called _Locky_recover_instructions.txt. This ransom note contains information about what happened to the victim’s files and links to the decrypter page.

Locky Text Ransom Note
Locky Text Ransom Note

Locky will change the Windows wallpaper to %UserpProfile%\Desktop\_Locky_recover_instructions.bmp, which contains the same instructions as the text ransom notes.

Locky Wallpaper
Locky Wallpaper

Last, but not least, Locky will store various information in the registry under the following keys:

  • HKCU\Software\Locky\id – The unique ID assigned to the victim.
  • HKCU\Software\Locky\pubkey – The RSA public key.
  • HKCU\Software\Locky\paytext – The text that is stored in the ransom notes.
  • HKCU\Software\Locky\completed    – Whether the ransomware finished encrypting the compute.r

 

The Locky Decrypter Page

Inside the Locky ransom notes are links to a Tor site called the Locky Decrypter Page. This page is located at 6dtxgqam4crv6rr6.onion and contains the amount of bitcoins to send as a payment, how to purchase the bitcoins, and the bitcoin address you should send payment to.  Once a victim sends payment to the assigned bitcoin address, this page will provide a decrypter that can be used to decrypt their files.

Locky Decrypter Page
Locky Decrypter Page

 

Locky related Files

%UserpProfile%\Desktop\_Locky_recover_instructions.bmp
%UserpProfile%\Desktop\_Locky_recover_instructions.txt
%Temp%\[random].exe

Locky related Registry entries

HKCU\Software\Locky
HKCU\Software\Locky\id
HKCU\Software\Locky\pubkey	
HKCU\Software\Locky\paytext
HKCU\Software\Locky\completed	1
HKCU\Control Panel\Desktop\Wallpaper	"%UserProfile%\Desktop\_Locky_recover_instructions.bmp"