Ransomware-Locky is a ransomware that scramble the contents of a computer or server (associated network shares ,both mapped and unmapped and removable media) and demands payment to unlock it "usually by anonymous decentralized virtual currency BITCOINS".
- Domain Generation Algorithm (DGA)
- Mapped / Unmapped Network share discovery
- Restore point deletion
The contents of the original files are encrypted (renamed to .locky) using an RSA-2048 and AES-1024 algorithm.The compromised user has to pay the attacker to get the files decrypted.
The primary modus operandi of Locky is via spammed emails that come with an attachment in the form of a MACRO ENABLED Microsoft Office document file with catchy subjects similar to ATTN: Invoice J-98223146 / invoice_J-12345678.doc / Rechnung-54-110090.xls
Once MACROS are trick to be enabled, the embedded downloads Locky, stores it in the Temp folder and executes it. Once installed Locky scraps the file systems (and unmapped shares also), with certain extensions (.pptx, .pptm, .dotm, .dotx, .docm, .docx, .RTF,. DOC, .pem,.crt, .key, wallet.dat,.pdf, .XLS, .PPT,,tar.bz2, .bak, .tar, .tgz, .rar, .zip, .bmp, .png, .gif, .jpeg, .jpg, .tif, .tiff, .bat, .class, .jar, .java, .asp, .vbs,.cpp, .php,.sql etc) and scrambles it and renaming it to [unique_id][identifier].locky
As part of the initial infection process, Locky deletes the volume shadow copy files hence preventing restoring the system to an earlier steady state by "vssadmin.exe Delete Shadows /All /Quiet"
Major File System Changes
Presence of registry keys
HKEY_CURRENT_USER\ Software\Microsoft\Windows\CurrentVersion\Run "Locky" = "LOCKY PATH"
HKCU\Software\Locky\id - The unique ID assigned to the victim.
HKCU\Software\Locky\pubkey - The RSA public key.
HKCU\Software\Locky\paytext - The text that is stored in the ransom notes.
HKCU\Software\Locky\completed - Whether the ransomware finished encrypting the computer
HKCU\Control Panel\Desktop\Wallpaper "%UserProfile%\Desktop\_Locky_recover_instructions.bmp"
Locky [leverages Domain Generation Algorithm (DGA] is reported as making network connection to the following :
126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, avp-mech.ru, bebikiask.bc00.info, cgavqeodnop.it,
cms.insviluppo.net, dltvwp.it, kqlxtqptsmys.in, neways-eurasia.com.ua, premium34.tmweb.ru, pvwinlrmwvccuo.eu, sso.anbtr.com, test.rinzo.biz, tramviet.vn,
uponor.otistores.com, uxvvm.us, wblejsfob.pw
A detailed list of Indicators of compromise including domains, IP's, Malware HASH listed IOC here