Locky malware holds files for ransom

As opposed to most of the prevalent file-encrypting plagues in the wild, the one called Locky affects unmapped network shares along with mapped ones and the local HDD volumes. Another unusual thing about it is the way it ends up inside Windows computers.

The ransomware operators originally chose to stick to a technique based on Microsoft Office macro vulnerability rather than exploit kits or the more widespread JavaScript backed mechanism through ZIP archives. Back in February 2016, they conducted a bulk email campaign that delivered a rogue invoice to hundreds of thousands of users. The document in its initial shape contained unintelligible symbols. In order to be able to read the contents, users were prompted to activate macros. Those who followed this recommendation unknowingly allowed the criminals to stealthily trigger the ransomware loader via a security loophole. The more recent attack incidents, however, have involved batch files to execute the binary.

This crypto ransomware scans the hard disk and network data repositories for files that meet the predefined criteria. In particular, it looks for items with popular extensions corresponding to personal documents, photos, videos, databases and many more types of potentially sensitive data. The infection subsequently encrypts every such file using AES-128 algorithm and then encodes the crypto key with RSA-2048. This is an uncrackable cipher requiring the private RSA key for decryption, but this piece of information is kept on a remote C2 server rather than the contaminated PC’s hard disk. Additionally, the ransomware changes the filenames and appends the .locky extension to them.

The data buyout imposed by this threat implies a payment of 0.5 BTC to the racketeers, which is approximately 200 USD. Victims are directed to a Tor site titled the Locky Decrypter Page, where they get the Bitcoin address to send the ransom to. Full decryption is only possible if the user has the private key, therefore the ransom appears to be the sole applicable method to redeem files. Some security researchers suggest that the infected people try tools like Shadow Explorer to reinstate part of the files, but this doesn’t always help because the Trojan may disable VSS (Volume Shadow Copy Service). Under the circumstances, having an up-to-date file backup is the optimal way out.