Locky, the professional grade ransomware has been causing headaches and damages to victim’s wallet for quite sometime. It uses the document-based macros for ransomware distribution, encrypts files on the victims’ computers with an additional‘.locky’ as extension which is what the ransomware is named after. Locky is professionally written, massively spread, costly if infected, most importantly it is evolving. It has been stable for the past year with no major version upgrade until recently. Our VEX system captured a new variant Locky sample at the beginning of last week. It encrypts the network traffic in a completely different method, and a different URI with the same IP in communication.
Locky contains 3 to 6 hardcoded IP addresses inside the sample instead of domain names which are used in constructing the URL. as we can see the older variant sends a POST request to the hardcoded IP with /submit.php as the complete URL to communicate with the bot such as requesting a RSA key and send the collected information about the victim’s machine, infection status etc in a typical ‘key=value’ format.
Figure 1. POST /submit.php from the older variant
Below shows the POST message from above after decryption. As it shows, Locky communicates with the C&C server by requesting a key along with some information collected about the victim’s machine.
However in the new variant we have recently discovered, the URI has been changed to the hardcoded IP concatenated with /userinfo.php.
Figure 2. POST /userinfo.php from the new variant
If you don’t consider this is enough of a change to Locky to call it a new variant, this next modification will change your mind. Of course the communication is not in plain text, but wrapped and encrypted. Both the incoming and outgoing communication employs a similar encryption logic. The older variant of Locky constructs the message collected and inserts the 16 byte MD5 hash value of the message at the beginning of the string as a way of validating the data. And then recursively encrypts each byte using a custom algorithm shown in Figure 3. This algorithm makes use of two DWORD constants as seeds to continuously update the key which the new byte is to be encrypted with.
Figure 3. POST Request Encryption Routine of the older variant
This new variant discovered completely abandoned the above custom encryption algorithm and makes uses of the Windows API with along with the RSA encryption algorithm to get the same job done as shown in Figure 4.
Figure 4. New Encryption Routine of the new variant
Old Variant Sample MD5: 87d9eec40e173070515d8dad37f0d2d6
New Variant Sample MD5: 59cc8fc8984bcda72cc4e6f9003053cd (Detected as Malicious_Behavior.VEX.96)
Why did Locky go through the trouble of modifying the POST URL and come up with a completely new method of encrypting its network traffic? We suspect it’s because the old trick is well established knowledge to the general public as the analysts from all major security vendors digged deep in the ransomware, it’s too easy to overcome this encryption algorithm and is no longer safe to use as a way for obfuscation. So far we've captured 49 counts of unique MD5 samples of the new variant with no older variants being found. It seems the entire family of Locky ransomware has migrated to the new format. As our ART team continues to track and investigate in the Locky family, we will update with more information as they come to light.