Locky is one of the most widely distributed and infamous threats in the ransomware landscape. First detected in February 2016 Locky has spread very quickly, proving to be both sneaky and effective. The usual dispatch chain took advantage of massive spam campaigns, leveraging freshly compromised domains to enhance its chances of passing under the radar of the various security solutions. With some surprise from the whole infosec community, the people behind Locky went dark in June only to resume their operations after 3 weeks. Our hypothesis was that of a potential connection with the arrest of 50 russian hackers made by the FSB or with the outage of the Necurs botnet, used as a dispatch network. Maybe a coincidence, maybe not, in any case during this “break” we detected only residual activity in the distribution of Locky.
When the operations were resumed, they did it in style: the first campaign we detected took advantage of 50 compromised domains, a trend that has been going on for weeks. This consistency is a sign that the people behind Locky have a clear plan and very good execution skills. What’s remarkable is that day by day the various payloads went almost completely undetected, not an easy feat for one of the most widely distributed pieces of ransomware. Locky continued to evolve after the break, adding at least one new client to their distribution operations and later on changing its extension from .locky to .zepto.
Has something changed before and after the break? Was the break due to the arrests or because of an overhaul of their code base? Did the Necurs botnet outage affect the distribution chain for the whole time? To try and answer these questions we decided to dig into the data acquired by our sensors, highlighting the differences and the evolutions of this ransomware from February until today.
Locky’s dispatching strategy can be summarised in 3 steps:
- Compromise a legitimate webserver to host Locky’s dropper
- Take advantage of the Necurs botnet to dispatch the spam messages
No particular differences in the email’s bodies ca be spotted, as shown below:
Email sample 1
Dear [NAME],Attached please find the documents you requested..King regardsKaitlin WaltonFinancial Director – Multinational Group
Mon, 27 Jun 2016 20:16:52 -0200
Email sample 2
Hi [NAME],Ive attached the report you asked me to send.RegardsDee Christensen
Director, Digital Communications
As well for the subjects. The last ones we have observed are:
FW:photo you asked
Final version of the report
RE:photo you asked
photo you asked
Locky ransomware is sold on the black market as a RaaS (Ransomware-as-a-Service), a model similar to that of the various app stores: the distribution platform gets a cut for every application that is sold. In case of Locky the affiliates will take care of the distribution, the authors will manage the backend infrastructure and they will get a cut when an affiliate’s victim pays the ransom. This structure removes a lot of friction since affiliates have to care only about the distribution strategy.
Each affiliate is identified by a number, so by tracking the different affiliates we can study how they operate. We didn’t notice any particular evolution or difference for any affiliate other than the number 1, which is thought to belong to the original authors. In this case we have observed a gradual evolution in the obfuscation techniques in order to reach a lower detection level against the various Antivirus engines as well as the loader capabilities.
It’s well known that Locky is sold in the black market like RaaS so there are different actors behind Locky itself (identified by affid parameter, which stands for affiliation ID). No differences were spotted about affiliation ID different to 1. About the affid=1 instead we have observed evolution on obfuscation technique to avoid detection and about loader capabilities.
After the end of May until the 20 June, Locky actors have stopped its spam mail campaigns. Anyway it’s curious that this was happened when in Russia there have been arrested, as reported in this Reuters’s article. By the way, the only difference which we have spotted in the Locky’s come back is the different parameter passed to the Locky dropper: from “123” to “321”, very little imagination after all.
Another interesting attachment changes is the one spotted in the wild in the first half of May when it was an HTA file. One sample can be found here.
Thanks also to the Malware Corpus Tracker maintained by @h3x2b we have analyzed ~550 compromised domains. We have split the analysis in this manner:
- compromised domains from March until ~30 May, which we have called Pre-Break
- compromised domain from ~20 June until nowadays, which we have called Post-Break
Affiliation ID differences
Tracking locky recent campaigns, we have observed differences from affiliation ID 1 and affiliation ID 3. These differences can be subdivided like so:
- Number and URL format of the compromised domain contacted;
- Unpacking stage.
Affiliation ID 1
Affiliation ID 3
From Locky to Zepto
One of the recent biggest changes on Locky ransomware is the .zepto appended at the end of encrypted file, instead of the .locky old one.
Changes also for the targeted extensions (182) can be observed: 31 file extensions added and 9 removed. Below the list:
.001 .002 .003 .004 .005 .006 .007 .008 .009 .010 .011 .apk .asset .bik .bsa .d3dbsp .das .forge .iwi .lbf .litemod .litesql .ltx .m4a .n64 .onetoc2 .pst .re4 .sav .upk .wallet
.7z .cs .db .gz .js .pl .rb .sh .vb
No other big differences spotted.