Dridex Actors Get In the Ransomware Game With "Locky"

Overview

Proofpoint researchers have discovered a new ransomware named "Locky" being distributed via MS Word documents with malicious macros. While a variety of new ransomware has appeared since the end of 2015, Locky stands out because it is being delivered by the same actor behind many of the Dridex campaigns we have tracked over the last year.

 

Spam

As with most malware campaigns this year, actors are distributing Locky through document attachments spam. In this campaign, messages from random senders with the subject "ATTN: Invoice J-12345678" deliver an attachment "invoice_J-12345678.doc". The attachments are MS Word documents containing macros which download and install the Locky ransomware, first observed by Proofpoint on February 16, 2016.

The botnet (a group of infected machines running a spam bot) delivering the spam is the same botnet that distributes the vast majority of messages bearing the Dridex banking Trojan. In the past, this botnet delivered Dridex botnet IDs 120, 122, 123, 220, 223, 301 (among others), as well as some other non-Dridex malware such as Ursnif (for example on 1-5-2016), Nymaim (12-15-2015), TeslaCrypt (12-14-2015), and Shifu (10-07-2015).

Figure 1 : Email lure associated with Locky

The actors behind Locky are clearly taking a cue from the Dridex playbook in terms of distribution. Just as Dridex has been pushing the limits of campaign sizes, now we're seeing even higher volumes with Locky, rivaling the largest Dridex campaigns we have observed to date.

Coincidentally, the same day we tracked the large spam campaign, we also spotted Locky being distributed in a Neutrino thread usually spreading Necurs. When run on the same virtual machine, the document from both the Neutrino drop and the spam emails generate the same individual ID, point to the same Bitcoin wallet, and appear to use the same infrastructure. This can be explained either by a common actor or, more likely, by a distribution in affiliate mode.

Figure 2 : Locky being dropped by the Neutrino EK

When users open the attached document, they must enable macros to be infected.

Figure 3: Attachment showing macro enabling

 

Locky Ransomware

The ransomware encrypts files based on their extension and uses notepad to display the ransom message (Figure 5). Additionally, it replaces the Desktop background with the ransom message (Figure 4). If the user visits the .onion (or tor2web) links specified in the ransom message, s/he is instructed to buy Bitcoins, send them to a certain Bitcoin address, and then refresh the page to wait for the decryptor download. We have not confirmed if the decryptor will actually be provided if the user pays.

Figure 4: Desktop background after Locky is installed

Figure 5: Ransom message displayed in notepad

Figure 6: Decryption website

Locky encrypts most of the useful file formats on the user's local disk drives; some reports are emerging that Locky also encrypts files on mapped shared drives. The affected file formats are listed below:

.m4u | .m3u | .mid | .wma | .flv | .3g2 | .mkv | .3gp | .mp4 | .mov | .avi | .asf | .mpeg | .vob | .mpg | .wmv | .fla | .swf | .wav | .mp3 | .qcow2 | .vdi | .vmdk | .vmx | .gpg | .aes | .ARC | .PAQ | .tar.bz2 | .tbk | .bak | .tar | .tgz | .gz | .7z | .rar | .zip | .djv | .djvu | .svg | .bmp | .png | .gif | .raw | .cgm | .jpeg | .jpg | .tif | .tiff | .NEF | .psd | .cmd | .bat | .sh | .class | .jar | .java | .rb | .asp | .cs | .brd | .sch | .dch | .dip | .pl | .vbs | .vb | .js | .asm | .pas | .cpp | .php | .ldf | .mdf | .ibd | .MYI | .MYD | .frm | .odb | .dbf | .db | .mdb | .sql | .SQLITEDB | .SQLITE3 | .asc | .lay6 | .lay | .ms11 (Security copy) | .ms11 | .sldm | .sldx | .ppsm | .ppsx | .ppam | .docb | .mml | .sxm | .otg | .odg | .uop | .potx | .potm | .pptx | .pptm | .std | .sxd | .pot | .pps | .sti | .sxi | .otp | .odp | .wb2 | .123 | .wks | .wk1 | .xltx | .xltm | .xlsx | .xlsm | .xlsb | .slk | .xlw | .xlt | .xlm | .xlc | .dif | .stc | .sxc | .ots | .ods | .hwp | .602 | .dotm | .dotx | .docm | .docx | .DOT | .3dm | .max | .3ds | .xml | .txt | .CSV | .uot | .RTF | .pdf | .XLS | .PPT | .stw | .sxw | .ott | .odt | .DOC | .pem | .p12 | .csr | .crt | .key

Locky also appears to generate DGA traffic for command and control (the list of domains below were unregistered at the time of investigation):

vkrdbsrqpi[.]de                               
jaomjlyvwxgdt[.]fr                         
wpogw[.]it                         
ofhhoowfmnuihyd[.]ru

We detected several filesystem IOCs (files, registry keys used for persistence, etc):

Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Locky
Registry: HKCU\Software\Locky\id
Registry: HKCU\Software\Locky\pubkey
Registry: HKCU\Software\Locky\paytext
File: C:\Users\(username)\AppData\Local\Temp\ladybi.exe
File: C:\Users\(username)\Documents\_Locky_recover_instructions.txt
Command: vssadmin.exe Delete Shadows /All /Quiet
Command: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_Locky_recover_instructions.txt

As both endpoint and network protection measures become increasingly capable of handling the ransomware that made headlines in the last couple of years (CryptoLocker, CryptoWall, etc.), new variants and strains will continue to emerge. Check back later this week for a complete rundown of several new ransomwares that are making the rounds in the wild.

 

IOCs

Sample hashes
e95cde1e6fa2ce300bf778f3e9f17dfc6a3e499cb0081070ef5d3d15507f367b (Neutrino EK)
5466fb6309bfe0bbbb109af3ccfa0c67305c3464b0fdffcec6eda7fcb774757e (attachment)

Filesystem IOCs (files, registry keys used for persistence, etc):
Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Locky
Registry: HKCU\Software\Locky\id
Registry: HKCU\Software\Locky\pubkey
Registry: HKCU\Software\Locky\paytext
File: C:\Users\(username)\AppData\Local\Temp\ladybi.exe
File: C:\Users\(username)\Documents\_Locky_recover_instructions.txt
Command: vssadmin.exe Delete Shadows /All /Quiet
Command: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_Locky_recover_instructions.txt

Payloads downloaded by macro:
[hxxp://www.iglobali[.]com/34gf5y/r34f3345g.exe]
[hxxp://www.southlife[.]church/34gf5y/r34f3345g.exe]
[hxxp://www.villaggio.airwave[.]at/34gf5y/r34f3345g.exe]
[hxxp://www.jesusdenazaret[.]com.ve/34gf5y/r34f3345g.exe]
[hxxp://66.133.129[.]5/~chuckgilbert/09u8h76f/65fg67n]
[hxxp://173.214.183[.]81/~tomorrowhope/09u8h76f/65fg67n]
[hxxp://iynus[.]net/~test/09u8h76f/65fg67n]

Locky C2:
[hxxp://109.234.38[.]35/main.php]
[hxxp://lneqqkvxxogomu[.]eu/main.php]
[hxxp://qpdar[.]pw/main.php]
[hxxp://ydbayd[.]de/main.php]
[hxxp://ssojravpf[.]be/main.php]
[hxxp://gioaqjklhoxf[.]eu/main.php]     
[hxxp://txlmnqnunppnpuq[.]ru/main.php]

Payment URIs (Locky asks user to click these links):
[hxxp://6dtxgqam4crv6rr6.tor2web[.]org]
[hxxp://6dtxgqam4crv6rr6.onion[.]to]
[hxxp://6dtxgqam4crv6rr6.onion[.]cab]
[hxxp://6dtxgqam4crv6rr6.onion[.]link]
[hxxps://6dtxgqam4crv6rr6[.]onion]

 

Tuesday, February 16, 2016 - 18:15
Proofpoint Staff

Add new comment

Filtered HTML

  • Allowed HTML tags: <em> <strong> <cite> <blockquote> <s> <sub> <sup> <i> <b> <li> <ul> <ol> <u> <a> <p> <br /> <img>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.