Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Researchers Dissect Potent “Locky Bart” Ransomware

A closer look at the inner workings of the Locky Bart ransomware and its backend have provided security researchers with a better understanding of its features compared to those of its predecessors.

A closer look at the inner workings of the Locky Bart ransomware and its backend have provided security researchers with a better understanding of its features compared to those of its predecessors.

According to security researchers at Malwarebytes Labs, Locky Bart is the third variant of a threat that saw two very successful ransomware campaigns called “Locky” and “Locky v2”. The latest threat iteration can encrypt files without being connected to the command and control (C&C) server and features a much faster encryption mechanism, while its backend infrastructure appears maintained by a different actor.

Previous variants placed every file in a password protected ZIP archive and used an older protection algorithm that allowed researchers come up with a decryption tool. Locky Bart, however, creates a key for encryption, enumerates targeted files, encrypts them, encrypts the used key with a master key that becomes the victim’s UID, and then creates a ransom note on the desktop with a link to a payment page and the UID. The malware also wipes System Restore Points with VSSadmin.

Locky Bart gathers information on the victim’s machine to generate the encryption key, uses it for encryption, then leverages a one-way encryption mechanism – using the public key of a public / private key pair method – to encrypt the key. The private key for this second encryption process is stored on the attackers’ server and never accessible to the victim, Malwarebytes Labs researchers explain.

However, the ransomware generates a URL on the victim’s machine, with the link to a TOR cloaked .onion address (the malicious backend website is hosted there) and the user ID included within it (the UID is the original decryption key, in encrypted form). When the user accesses the website, the malicious server harvests the encrypted UID, meaning that the user in fact unknowingly sends their decryption key to the criminals.

Without the private key hosted on the server, the UID is actually useless to the victim. The server, on the other hand, uses the UID to identify the victim and also deciphers it into their victim’s key upon payment of the ransom. This also means that only the ransomware creators can decrypt victim’s files, but that the malware doesn’t need access to the malicious server to encrypt them.

The Bart Locky binary uses a software protection technique known as code virtualization, implemented using the “WPProtect” software. The protection is meant to make reversing the binary significantly more difficult and is usually used to prevent piracy. The anti-tampering mechanism is free, open source, and provides many features, which explains why Locky Bart’s author used it.

The Locky Bart server provides the victims with a payment mechanism and is also used to receive the Bitcoins from the payments, transfer the money to other wallets, generate and provide a decryption EXE for the victims, and accrue additional information on the victims. The Bart Locky backend, which runs on the yii high-performance PHP framework, contains a great deal of information about the inner workings of the ransomware, Malwarebytes Labs security researchers say.

Advertisement. Scroll to continue reading.

Through access to the control panel, the researchers were able to make an idea of the configuration setting for all the software running on the server, such as PHP, Bootstrap, Javascript, Apache (if used), Nginx (if used), ZIP, and more. The backend also revealed details on every request made to it, including request information, header information, body, timestamp, and where it originated from.

Moreover, the server contained logs for every error, trace, and debug item, as well as the available automated email functions, and MySQL Monitoring that showed every statement made and its return, the security researchers say. Locky Bart was found to store information in a MySQL database: the victim’s UID, the encryption key, Bitcoin Address, Paid Status, and Timestamps.

A second database that contains further information on the victims of the ransomware was also found on the server, along with a “BTCwrapper.php” file that eventually exposed information on two Bitcoin addresses used by the malware authors to redirect victims’ payments to.

According to Malwarebytes Labs, the server part of the ransomware was designed to function very similar to a legitimate business, as users are even provided with a support section, where they can contact the ransomware authors with any questions they might have. The server checks every minute if payment was made and, after confirming the payment, automatically marks the victim as Paid in the database.

For victims marked as Paid, the server generates a Decryption Tool EXE, writes the user’s Encryption Key in the binary of that exe, and then provides the victim with a link to download the file. The victim can find the link on their payment page, can download the decryption tool, and then regain access to their files.

“This research into Locky Bart ransomware gives a great view of the side of a ransomware operation that we typically do not get to see, the backend. The criminals who run these operations do so on an extremely professional level, and users should always take an extra step in protecting themselves from these types of attacks,” the security researchers note.

Related: Locky Variant Osiris Distributed via Excel Documents

Related: Bart Ransomware Doesn’t Require C&C Server to Encrypt Files

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.