Locky has been a constant in the malware zoo for a considerable time. And while we are aware that there are still victims being hit by the variant sporting the .ODIN extension, in this post we are going to have a look on its statistical data and an in-depth analysis at yet another two later flavors: .SH*T and .THOR. Furthermore, an update to this article takes a look at the recently released variant with the .AESIR extension.
Since .ODIN came to our attention, G DATA has been monitoring its activity in the wild. Based on the statistical data that we have gathered, .ODIN was very rampant in European region especially in countries like Germany and Netherlands mostly targeting business-to-business (B2B) companies.
Within G DATA’s customer base, the proliferation of .ODIN detections happened a few weeks after its reported release in the wild. The rate of novel infection attempts was decreased after the release of the next two Locky variants.
Locky was on a rampage again by releasing two more consecutive variants last October. An unpleasant .SH*T variant was deployed around third week of last month followed by .THOR variant few days after. There were no notable feature differences found among the last three variants except for the obviously new file extension.
The way the recent Locky variants work has not changed, yet. Its distribution method still relies mostly through Nuclear Exploit Kit which uses compromised websites; and the technique on infecting their victims and dropping of payloads remain the same. However, there are recent indications regarding a high possibility of Locky adapting to a different distribution and execution technology.
Recently, a new Dridex campaign was seen utilizing an established and effective method of using PowerShell command by exploiting the known LNK vulnerability. Locky is now expected to move away momentarily from using malicious script attachments in its spam campaign to evade detection. According to Microsoft’s recent technical blog, “the Locky ransomware writers, possibly upon seeing that some emails are being proactively blocked”, could have prompted the change in tactic. Few cases were seen tied to .ODIN but none so far for the latest Locky variants.
New Locky variants are executed the same way as .ODIN. They both use legitimate Windows program RUNDLL32.EXE using the following command line:
Rundll32.exe %TEMP%\[dll_name].dll,<pre-defined text argument>
Notice the shift of using a more flexible argument string that is usually pre-defined within Locky’s script component. It should be noted that the infection routine will not pursue without specifying the required command argument.
Successful execution also means success in encrypting targeted file types. Locky ransomware encrypts files found in local directories and unmapped network shares.
Both Locky variants follows the .ODIN’s naming format for the encrypted files:
It also drops ransom notes on every affected location to inform the user about the infection.
After its encryption routine, it executes the following command line to delete the system’s Shadow Volume Copies so it will be impossible for the affected user to recover their encrypted personal files:
VSSADMIN.EXE Delete Shadows /Quiet /All
To complete the infection, both variants communicate to its CnC servers by accessing the following server file:
IP Address: 220.127.116.11
ASN: AS35415 WEBZILLA, NL (registered Aug 03, 2005)
IP Location: Russian Federation Moscow Mchost.ru
IP Address: 18.104.22.168
IP Location: Ukraine Lenina Pp Sks-lugan
ASN: Ukraine AS35804 ALNET-AS, UA (registered Oct 31, 2005)
IP Address: 22.214.171.124
IP Location: Russian Federation Anzhero-sudzhensk Mediaserviceplus Ltd.
ASN: Russian Federation AS43146 AGAVA3, RU (registered Jun 14, 2007)
IP Address: 126.96.36.199
IP Location: France Roubaix Webhost Llc Dmitrii Podelko
ASN: France AS16276 OVH, FR (registered Feb 15, 2001)
IP Address: 188.8.131.52
IP Location: Russian Federation Dmitrov Internet Hosting Ltd
ASN: Russian Federation AS42632 MNOGOBYTE-AS Moscow, Russia, RU (registered Mar 23, 2007)
IP Address: 184.108.40.206
IP Location: Ukraine Kiev Hostpro Ltd.
ASN: Ukraine AS196645 HOSTPRO-AS, UA (registered Jul 29, 2009)
.ODIN continuously hitting the European region since it was released. Statistics show countries like Germany and Netherlands had been the most affected. Few weeks after its released, Locky strikes again with two of its copycats: .SH*T and .THOR. They now join the ranks of other Locky variants that cause damages to millions of users around the world. Though there seem no stark differences from .ODIN, Locky is starting to adopt another malware technology to strengthen its defenses against AV detections.
There is still no available solution to reverse the encryption without paying the ransom. However, it is still highly recommended to recover the files from backup or if lucky, from Shadow Volume Copies if it is still existing in the system.
Encrypted files were renamed with a similar format:
It drops ransom notes on every affected location to inform the user about the infection:
It also executes the following command line to delete the system’s Shadow Volume Copies so it will be impossible for the affected user to recover their encrypted personal files: VSSADMIN.EXE Delete Shadows /Quiet /All
After its encryption routine, .AESIR connects to its CnC server(s) to access the following server file: /information.cgi
Locky Script Downloaders:
.AESIR DLL binaries:
24-Nov (JST), #Locky spam email, "Attention Required". Encrypted files extension ".zzzzz". No C2 responsed. JS file https://t.co/hFZbecCa3Zpic.twitter.com/eGJQnykjxE— TMMalAnalyst (@tmmalanalyst) 24. November 2016