Locky Strike: Smoking the Locky Ransomware Code

Presented at VB2016, Oct. 7, 2016, 9:30 a.m. (30 minutes)

In late January this year, an unknown TOR onion-based ransomware payment page surfaced. The new deep website didn't attract much attention; it was likely "just another" script kiddie trying to get into the ransomware business. However, the third week of February saw a massive ransomware campaign that landed on at least 90,000 PCs per day [[1](#ref1)] around the world - one that pointed users to the exact same TOR onion site in order to pay a ransom. The ransomware's name was "Locky". At that point, not only did it become apparent that Locky is the work of experienced cybercriminals, but it was also clear that Locky is a major ransomware threat that end-users and enterprises are now facing. In fact, Locky's early variants show attributes that lead us to believe it will become a prominent ransomware family alongside CryptoWall and TeslaCrypt. In this paper, we will delve into the technical details of the Locky ransomware. We will focus on three technical aspects: its system behaviour, domain generation algorithm (DGA), and C&C communication. Initially, we will talk about Locky's prevalence in the wild and how it behaves on landing on a PC. We will then look at its DGA details and how we are able to simulate it in an automated fashion for C&C domain harvesting. The paper will also explore Locky's obfuscated C&C communications including its parameters, encryption and decryption. As a result of these findings, we will demonstrate how we successfully spoofed HTTP requests to the C&C servers to force it to respond with certain information, such as targeted countries. The paper will conclude with some insights into Locky's operation and how these findings ultimately translate to actionable threat intelligence that can be used to protect users. [1] [http://www.forbes.com/sites/thomasbrewster/2016/02/18/ransomware-hollywood-payment-locky-menace/#48414f3975b0](https://www.forbes.com/sites/thomasbrewster/2016/02/18/ransomware-hollywood-payment-locky-menace/#48414f3975b0)


  • Floser Bacurio - Fortinet
    Floser Bacurio Jr Floser is a senior security researcher at Fortinet. He acquired his Bachelor's degree in computer engineering at Lyceum of the Philippines University. Prior to joining Fortinet, Floser worked as a senior threat response engineer at Trend Micro for seven years. He has more than eight years' experience of performing in-depth malware analysis and threat research, the creation of generic and heuristic signatures, as well as developing tools and systems. Currently, Floser is involved in malware hunting and the development of automated systems for malware intelligence gathering. Outside work, Floser likes outdoor activities such as backpacking, camping and travelling.
  • Rommel Joven - Fortinet
    Rommel Joven Rommel Joven is a junior security researcher at Fortinet. He finished his Bachelor's degree in electronics engineering at Saint Louis University in 2012. Prior to joining Fortinet, he started his career in cybersecurity and reverse engineering at Trend Micro as a threat response engineer. As a novice, he has developed strong interest and become keen to learn more about cybersecurity. He is now further involved in hunting new malware ranging from ransomware to targeted attacks. He is a contributor to Fortinet's Security Research blog where he writes about up to date malware such as Cryptowall and Blackmoon. During his spare time, he enjoys sports activities like basketball and playing online games.
  • Roland Dela Paz - Fortinet
    Roland Dela Paz Roland is a senior security researcher at Fortinet. He is a graduate of the University of Santo Tomas, Philippines with a Bachelor's degree in information technology. Prior to joining Fortinet, Roland worked as a malware researcher at Trend Micro for five years and as an anti-malware analyst at Microsoft for two years. He is passionate about threat intelligence, attack correlation, attacker attribution and cybercrime trends. Roland regularly shares his research through blogs, presentations and whitepapers. Outside work, Roland likes to play the guitar, work out and travel.


Similar Presentations: