Blocking C&C Connections Won’t Stop Locky Ransomware
Locky, one of the most used ransomware families during the first half of the year, is now able to encrypt files without connecting to a command and control (C&C) server, Avira researchers warn.
It’s not uncommon for malware to receive updates that expand functionality, and Locky has seen numerous improvements since first spotted in February this year. Distributed via spam emails containing Office documents with malicious macros as attachments, Locky was also seen leveraging JavaScript attachments starting in March.
In April, the ransomware changed communication patterns and also started using the Nuclear exploit kit for distribution. At the end of May, while still using JavaScript attachments for distribution, Locky was also observed leveraging VBA modules in documents to avoid detection.
The new development in Locky’s evolution, however, makes detection far more difficult, as it enters an offline encryption mode if all attempts to connect to the C&C fail. The change was observed on July 12 and ensures that the ransomware can still perform its nefarious operations even if its Internet connectivity was blocked, Avira researchers say.
This behavior is similar to that of Bart ransomware, a piece of malware that emerged in late June and which was associated with the group behind Dridex and Locky. Bart didn’t require an Internet connection to perform encryption, but instead relied on a distinct victim identifier to inform the operator what decryption key should be used.
When launched, the new Locky variant attempts to connect to the C&C servers stored in its configuration file, then to the C&C servers from the Domain generation algorithm (DGA). If it fails, the ransomware repeats the process for all C&Cs, then it tries a server address from the configuration file. Should the second attempt fail too, the malware would enter the offline encryption mode.
“Previously, a system administrator could block all CnC connections and keep Locky from encrypting any files on the system. Those days are over now. Locky has now reduced the chances for potential victims to avert an encryption disaster,” Moritz Kroll, malware specialist at Avira, says.
According to Avira, the offline encryption mode kicks in about one or two minutes after the ransomware is executed, meaning that an admin observing the rogue traffic would have very little time to act and shut down the computer before the encryption starts.
What researchers also observed is that, when in offline mode, Locky cannot get a victim-specific public key, because it cannot directly register a victim ID with the server. This means that it uses a public key from the configuration file and generates a special ID for payment. However, it also means that the same key is used for all offline encryptions and that, once someone has paid the ransom for their private key ID, it should be possible to reuse the same key for other victims with the same public key.
After being almost inactive for the first three weeks of June, Locky returned in full swing towards the end of the month, when the Necurs botnet came back online. Now, F-Secure researchers say that the latest Locky distribution campaigns hit a new high with more than 120,000 spam emails per hour, which is around 200 times more than normal.
The campaign started to ramp up last week, when it hit a total of 120,000 spam emails per day between Wednesday and Friday, with a peak of 30,000 hits per hour. On Tuesday this week, however, the campaign reached a new level of magnitude, F-Secure reveals.