Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Locky Ransomware Gets Offline Encryption Capabilities

Blocking C&C Connections Won’t Stop Locky Ransomware

Locky, one of the most used ransomware families during the first half of the year, is now able to encrypt files without connecting to a command and control (C&C) server, Avira researchers warn.

Blocking C&C Connections Won’t Stop Locky Ransomware

Locky, one of the most used ransomware families during the first half of the year, is now able to encrypt files without connecting to a command and control (C&C) server, Avira researchers warn.

It’s not uncommon for malware to receive updates that expand functionality, and Locky has seen numerous improvements since first spotted in February this year. Distributed via spam emails containing Office documents with malicious macros as attachments, Locky was also seen leveraging JavaScript attachments starting in March.

In April, the ransomware changed communication patterns and also started using the Nuclear exploit kit for distribution. At the end of May, while still using JavaScript attachments for distribution, Locky was also observed leveraging VBA modules in documents to avoid detection.

The new development in Locky’s evolution, however, makes detection far more difficult, as it enters an offline encryption mode if all attempts to connect to the C&C fail. The change was observed on July 12 and ensures that the ransomware can still perform its nefarious operations even if its Internet connectivity was blocked, Avira researchers say.

This behavior is similar to that of Bart ransomware, a piece of malware that emerged in late June and which was associated with the group behind Dridex and Locky. Bart didn’t require an Internet connection to perform encryption, but instead relied on a distinct victim identifier to inform the operator what decryption key should be used.

When launched, the new Locky variant attempts to connect to the C&C servers stored in its configuration file, then to the C&C servers from the Domain generation algorithm (DGA). If it fails, the ransomware repeats the process for all C&Cs, then it tries a server address from the configuration file. Should the second attempt fail too, the malware would enter the offline encryption mode.

“Previously, a system administrator could block all CnC connections and keep Locky from encrypting any files on the system. Those days are over now. Locky has now reduced the chances for potential victims to avert an encryption disaster,” Moritz Kroll, malware specialist at Avira, says.

Advertisement. Scroll to continue reading.

According to Avira, the offline encryption mode kicks in about one or two minutes after the ransomware is executed, meaning that an admin observing the rogue traffic would have very little time to act and shut down the computer before the encryption starts.

What researchers also observed is that, when in offline mode, Locky cannot get a victim-specific public key, because it cannot directly register a victim ID with the server. This means that it uses a public key from the configuration file and generates a special ID for payment. However, it also means that the same key is used for all offline encryptions and that, once someone has paid the ransom for their private key ID, it should be possible to reuse the same key for other victims with the same public key.

After being almost inactive for the first three weeks of June, Locky returned in full swing towards the end of the month, when the Necurs botnet came back online. Now, F-Secure researchers say that the latest Locky distribution campaigns hit a new high with more than 120,000 spam emails per hour, which is around 200 times more than normal.

The campaign started to ramp up last week, when it hit a total of 120,000 spam emails per day between Wednesday and Friday, with a peak of 30,000 hits per hour. On Tuesday this week, however, the campaign reached a new level of magnitude, F-Secure reveals.

 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.