Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Locky Ransomware Gets Offline Encryption Capabilities

Blocking C&C Connections Won’t Stop Locky Ransomware

Locky, one of the most used ransomware families during the first half of the year, is now able to encrypt files without connecting to a command and control (C&C) server, Avira researchers warn.

Blocking C&C Connections Won’t Stop Locky Ransomware

Locky, one of the most used ransomware families during the first half of the year, is now able to encrypt files without connecting to a command and control (C&C) server, Avira researchers warn.

It’s not uncommon for malware to receive updates that expand functionality, and Locky has seen numerous improvements since first spotted in February this year. Distributed via spam emails containing Office documents with malicious macros as attachments, Locky was also seen leveraging JavaScript attachments starting in March.

In April, the ransomware changed communication patterns and also started using the Nuclear exploit kit for distribution. At the end of May, while still using JavaScript attachments for distribution, Locky was also observed leveraging VBA modules in documents to avoid detection.

The new development in Locky’s evolution, however, makes detection far more difficult, as it enters an offline encryption mode if all attempts to connect to the C&C fail. The change was observed on July 12 and ensures that the ransomware can still perform its nefarious operations even if its Internet connectivity was blocked, Avira researchers say.

This behavior is similar to that of Bart ransomware, a piece of malware that emerged in late June and which was associated with the group behind Dridex and Locky. Bart didn’t require an Internet connection to perform encryption, but instead relied on a distinct victim identifier to inform the operator what decryption key should be used.

When launched, the new Locky variant attempts to connect to the C&C servers stored in its configuration file, then to the C&C servers from the Domain generation algorithm (DGA). If it fails, the ransomware repeats the process for all C&Cs, then it tries a server address from the configuration file. Should the second attempt fail too, the malware would enter the offline encryption mode.

“Previously, a system administrator could block all CnC connections and keep Locky from encrypting any files on the system. Those days are over now. Locky has now reduced the chances for potential victims to avert an encryption disaster,” Moritz Kroll, malware specialist at Avira, says.

According to Avira, the offline encryption mode kicks in about one or two minutes after the ransomware is executed, meaning that an admin observing the rogue traffic would have very little time to act and shut down the computer before the encryption starts.

What researchers also observed is that, when in offline mode, Locky cannot get a victim-specific public key, because it cannot directly register a victim ID with the server. This means that it uses a public key from the configuration file and generates a special ID for payment. However, it also means that the same key is used for all offline encryptions and that, once someone has paid the ransom for their private key ID, it should be possible to reuse the same key for other victims with the same public key.

After being almost inactive for the first three weeks of June, Locky returned in full swing towards the end of the month, when the Necurs botnet came back online. Now, F-Secure researchers say that the latest Locky distribution campaigns hit a new high with more than 120,000 spam emails per hour, which is around 200 times more than normal.

The campaign started to ramp up last week, when it hit a total of 120,000 spam emails per day between Wednesday and Friday, with a peak of 30,000 hits per hour. On Tuesday this week, however, the campaign reached a new level of magnitude, F-Secure reveals.


Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and...