HKCert
Security Blog

An aggressive campaign of Locky ransomware

Release Date: 18 / 03 / 2016
Last Update: 06 / 04 / 2016

An aggressive campaign of a new ransomware Locky is observed. Locky became active since February 2016. It encrypts files found on victims’ computers or network shares and adds a ".locky" file extension to them. Because strong encryption algorithms (RSA and AES) were used, infected files became practically unrecoverable. Locky display a ransom note in local language, demanding a ransom of 0.5 to 1 bitcoin (1 bitcoin = approximately HKD 3,200) in exchange of the decryption keys (See Figure 1).

 

 figure1

 Figure 1. Locky displays the ransom note in localized language as wallpaper

 

Locky ransomware in the wild

 

Cyber criminals are aggressively pushing Locky through global spam campaign and massive compromised websites. Locky is spreading very fast on the Internet. As of March 18, HKCERT received 18 reports of Locky ransomware, with 11 received in the past two days. The victims included SMEs and non-government organizations. From the outreach to education sector we believe there should be many more unreported cases.

 

Locky’s bitcoins ransom collection website is the same as that of some other ransomwares. It is hidden inside the Tor network. A possible evidence of rapid growth of the malware is reflected in the sharp rise in unique .onion address used for Tor’s hidden services (Known as .onion sites) for illegal purposes (see Figure 2). 

 

figure2

Figure 2. Number of unique .onion address (Source: https://metrics.torproject.org)

 

Global spam campaign

 

One main path of infection is through spam email campaign. Many of the scam messages disguise as invoices or payment voucher (see Figure 3). The senders were from the victims’ email domain or unknown senders. 

Figure 3. Example of Spam Email Messages 
 
The email attachments are Word or Excel files containing a malicious macros, or a “.zip” file containing a malicious “.js”. The victim is prompted to enable macro feature (see Figure 4). Once the macro is granted to run, it will install Locky onto the victim’s computer. 
 
Figure 4.  Do not turn on malicious Macros in Word Doc 
 

Distributed via Massive Compromised Website

 
The hackers also deploy Locky to the victims by compromised website. The infected websites are injected with some malicious scripting code. Visitors of the websites are redirected to another exploit website. The exploit website serves attack on vulnerabilities of the vistors’ systems and installed applications. The attack mainly target Microsoft Internet Explorer browser. The Locky malware will be downloaded to victims' computer.
 

Features making Locky dangerous

 
Locky is equipped with advanced features, such as time based domain generation algorithm, custom encryption communication, TOR network support , BitCoin Payment function, strong file encryption algorithm(RSA-2048+AES128) and is able to encrypt over 160 different file types. Cyber criminals have managed to spread the malware in a very short of time. Besides the effort in spam campaign, the low detection rate of new sample (as shown on VirusTotal) is also a contributing factor.
 

Mitigating Risks of Locky Malware

 
HKCERT issued a security bulletin on Locky on 18 March 2016. You can refer to this URL: https://www.hkcert.org/my_url/en/alert/16031701.
Users are advised to take these steps to mitigate the risks:

 

  • Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
  • Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Do not enable it if in doubt.
  • Regularly backup the files stored on your computer, and keep an offline copy of the backup.
  • Always keep your security software up to date.
  • Keep your operating system and other software updated.
  • Once infected, isolate the infected computer from the network and external storage immediately. Do not open any file before clearing the malware.
  • We do not recommend paying the ransome.
 
Conclusion
 
Locky ransomware is currently a hot topic in ransomware sphere. Cyber criminals are making a lot of profit out of it so they will continue to make it very popular. Unfortunately, there is no easy ways to get data back once you get infected. So you should take our advice to prevent and prepare for its attack.
 

Reference