FANDOM


Locky is a ransomware email worm and macro trojan virus program on Microsoft Windows.

It is reported to have done 4000 new infections per hour and approximately 100,000 infections per day with most of the infections happening in Germany and the Netherlands.

Payload

Transmission

Locky is distributed through emails that pretend to be invoices or via exploit kits on hacked sites. These invoices will have a subject similar to ATTN: Invoice J-12155976 or FW: Invoice and have an attached malicious word document or zip file containing a javascript installer. These attachments will have file names like Invoice J-12155976.doc or 138AD_scan_invoice_45E288.zip.

When the user double-clicks on the word document and enable macros or execute the javascript file, it will download the Locky ransomware executable and begin the encryption process.

Locky can also infect the user's computer when they visit a hacked site that has an exploit kit on it. These exploit kits will scan their computer for vulnerable programs and attempt to exploit them to install and start the ransomware without their knowledge.

Infection

When opened, the Document file gets downloaded into the system and that its content is garbled along with a prompt that states "enable macros". Once the macros are enabled, the user would download an executable from a remote server and run it from there.

When Locky is first installed it will check to see if the computer is using the Russian language, and if it is, will not encrypt the computer. Otherwise, it will connect to a remote Command & Control server that is under the Locky developer's control and send it the ID associated with the victim's infection. This ID is generated by taking the first 16 characters of a MD5 hash of the GUID for the storage volume that Windows is installed on. Once it sends the ID, Locky will respond with an RSA key that will be used during the encryption process.

Locky will then create a Windows registry key that it will use to store configuration information. This registry key is located at HKCU\Software\[random]. 

Locky will now scan the computer's local, removable, mapped drives, and unmapped network shares for file types that it targets for encryption. The extensions targeted by Locky are:

.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, 
.wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, 
.tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, 
.jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, 
.dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, 
.dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy), 
.sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, 
.potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, 
.xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, 
.ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, 
.pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat

When a file is encrypted it will generate a new AES encryption key and encrypt the file with it. This AES encryption key is then further encrypted by the RSA key that was retrieved from the Command & Control server. This RSA encrypted AES key will then be stored in the encrypted file.

When a file is encrypted it will be renamed to different formats depending on the version of Locky. Many of these extensions are named after gods from Norse and Egyption mythology. The original extension used by encrypted files is .locky.

Locky will scan all drive letters on the user's computer including removable drives, network shares, and even DropBox mappings. In summary, if there is a drive letter on the user's computer it will be scanned for data files to encrypt by the ransomware

When the infection has finished scanning the user's computer it will attempt to delete all of the Shadow Volume Copies that are on the affected computer. It does this so that the user cannot use the shadow volume copies to restore their encrypted files. The command that is run to clear the Shadow Volumes is:

vssadmin.exe Delete Shadows /All /Quiet

Now that the computer's data has been encrypted, it will display the %UserProfile%\Desktop\_HELP_instructions.html ransom note. An example text of the ransom note is:

*+_+~~-+~=~*$$-

!!! IMPORTANT INFORMATION !!!!




All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
http://en.wikipedia.org/wiki/RSA_(cryptosystem)
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Decrypting of your files is only possible with the private key and decrypt program, which is on our 
secret server.
To receive your private key follow one of the links:
1. http://25z5g623wpqpdwis.tor2web.org/F61242A1A24B711E
2. http://25z5g623wpqpdwis.onion.to/F61242A1A24B711E
3. http://25z5g623wpqpdwis.onion.cab/F61242A1A24B711E


If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: 25z5g623wpqpdwis.onion/F61242A1A24B711E
4. Follow the instructions on the site.


!!! Your personal identification ID: F61242A1A24B711E !!!


+$.+~-=*-.*.~.
=|++~--~=$_-|_
_=$.._

Locky will also change the wallpaper. From there, it will ask for a payment of between 0.5 and 2 Bitcoins ($208 to $800 roughly) in order to receive the decryption key.

An antivirus that is able to delete ransomware can remove this virus.

References

Media

Locky Ransomware Demonstration

Locky Ransomware Demonstration

How to Remove Locky Virus Ransomware File Encyption

How to Remove Locky Virus Ransomware File Encyption

Community content is available under CC-BY-SA unless otherwise noted.