Huge wave of Locky Ransomware spread via Javascript spam (Feb 19th, 2016)

The Dell Sonicwall Threats Research team have come across a new ransomware family called Locky. Ransomware is still on the rise and is showing no signs of stopping anytime soon. As predicted, the Dell Sonicwall Threats Research Team have seen an increase in new ransomware malware families and ransomware targeted at large corporations. It has even made recent headline news with the story of US hospital having to pay up $17,000 in bitcoins in order to recover critical files. our analysts identified the malicious executable as being associated with ransomware as a service (RaaS). Threat actors can configure these types of executables to encrypt various files found on an infected system. The RaaS provider then takes a portion of the ransom paid by victims as payment. Ransomware is an increasingly lucrative business and the Locky variant is yet another malware family trying to cash in on a growing criminal market.

Infection Cycle:

The Trojan is spread via email spam using a javascript attachment. The scripts are polymorphic. Each copy [Detected as GAV: JS.Camelot.A (Trojan)] is uniquely obfuscated using words from the english dictionary:

The script downloads the Locky ransomware executable file and runs it:

The Locky Trojan executable file uses the following icon:

The Trojan makes the following DNS queries:

wblejsfob.pw
cgavqeodnop.it
kqlxtqptsmys.in
pvwinlrmwvccuo.eu
sso.anbtr.com

The Trojan adds the following files to the filesystem:

• %USERPROFILE%Cookies_Locky_recover_instructions.txt
• %USERPROFILE%Desktop_Locky_recover_instructions.bmp
• %USERPROFILE%Desktop_Locky_recover_instructions.txt

The Trojan encrypts various user created files on the system and sends the encryption keys to a remote key storage server:

It then causes the following two messages to be displayed on the desktop:

The links above lead to a page hosted on the TOR anonymity network. The page instructs the user on how to make a payment in bitcoins to restore their files:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Locky.A (Trojan)
• GAV: JS.Camelot.A (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.