FortiGuard Labs Threat Research
As a result of our continuous monitoring of the Locky ransomware we discovered a new Locky variant. This variant now appends a “.odin” extension to its encrypted files. This is now the third time that the extension has been changed. Aside from this, in this report we will also examine some of its other minor updates.
The transition from “.locky” to “.zepto” extension has caused some confusion to the malware research scene. Due to this update, some researchers identified Zepto as a new ransomware family, when in fact, it’s just a new variant of the infamous Locky ransomware. Hopefully, the following details on their similarities can help ease this confusion and serve as proof that they are of the same family. Using the IDA plugin BinDiff, an executable-comparison tool, we are able to confirm this.
As shown in Figure 1, when comparing full EXE-binaries of .zepto and .locky, BinDiff scored it with a striking 85% similarity. These similarities are almosy entirely comprised of their main malicious functions. One of these functions, the file encryption routine, has a 98% similarity score. A closer look of this function is shown in Figure 2.
Figure 1: .Zepto And .Locky EXE binary comparison
Figure 2: Comparison of File Encryption Function
The similarities between these two variants confirm that they belong to the same family. Using this same analysis method, we were able to prove that “.zepto” and “.odin” are of the same family, which means that .odin is also Locky variant. As in mathematics, this is called the transitive property of equality. If Z = L and Z = O then L = O
As it turns out, the similarities between their DLL binaries are even more apparent. As shown in Figure 3, they score a 99% similarity.
Figure 3: .Zepto and .Odin DLL binary Comparison
The following table shows the changes in ransomware note filenames for each Locky variant:
.Locky |
.Zepto |
.Odin |
_HELP_instructions.html |
_HELP_instructions.html (old) |
_{number}_HOWDO_text.html |
|
_{number}_HELP_instructions.html (new) |
|
Table 1: Ransom Note Filename Changes
Note the prepended numbers on the new variants. At first glance, they would seem to be just random numbers. However, upon code analysis, they were discovered to be a sequence index for the affected directories (first infected directory:0, second directory:1, … and so on).
Interestingly, no notable changes were observed on the ransom payment page. For this variant, it asks for 1.5BTC, although based on research, this price ranges from 0.5 to 3.0BTC.
Figure 4: Locky Payment Page
In addition to these rather minor updates, Locky has also increased the chance of hitting more important files by doubling (from 194 to 460) the list of file types targeted for encryption. Here are the new additions to the list:
.yuv |
.qbx |
.ndd |
.exf |
.cdr4 |
.vmsd |
.dat |
.indd |
.pspimage |
.obj |
.ycbcra |
.qbw |
.mrw |
.erf |
.cdr3 |
.vhdx |
.cmt |
.iif |
.ps |
.mlb |
.xis |
.qbr |
.moneywell |
.erbsql |
.bpw |
.vhd |
.bin |
.fpx |
.pct |
.md |
.x3f |
.qba |
.mny |
.eml |
.bgt |
.vbox |
.aiff |
.fff |
.pcd |
.mbx |
.x11 |
.py |
.mmw |
.dxg |
.bdb |
.stm |
.xlk |
.fdb |
.m4v |
.lit |
.wpd |
.psafe3 |
.mfw |
.drf |
.bay |
.st7 |
.wad |
.dtd |
.m |
.laccdb |
.tex |
.plc |
.mef |
.dng |
.bank |
.rvt |
.tlg |
.design |
.fxg |
.kwm |
.sxg |
.plus_muhd |
.mdc |
.dgc |
.backupdb |
.qcow |
.st6 |
.ddd |
.flac |
.idx |
.stx |
.pdd |
.lua |
.des |
.backup |
.qed |
.st4 |
.dcr |
.eps |
.html |
.st8 |
.p7c |
.kpdx |
.der |
.back |
.pif |
.say |
.dac |
.dxb |
.flf |
.st5 |
.p7b |
.kdc |
.ddrw |
.awg |
.pdb |
.sas7bdat |
.cr2 |
.drw |
.dxf |
.srw |
.oth |
.kdbx |
.ddoc |
.apj |
.pab |
.qbm |
.cdx |
.db3 |
.dwg |
.srf |
.orf |
.kc2 |
.dcs |
.ait |
.ost |
.qbb |
.cdf |
.cpi |
.dds |
.sr2 |
.odm |
.jpe |
.dc2 |
.agdl |
.ogg |
.ptx |
.blend |
.cls |
.css |
.sqlite |
.odf |
.incpas |
.db_journal |
.ads |
.nvram |
.pfx |
.bkp |
.cdr |
.config |
.sdf |
.nyf |
.iiq |
.csl |
.adb |
.ndf |
.pef |
.al |
.arw |
.cfg |
.sda |
.nxl |
.ibz |
.csh |
.acr |
.m4p |
.pat |
.adp |
.ai |
.cer |
.sd0 |
.nx2 |
.ibank |
.crw |
.ach |
.m2ts |
.oil |
.act |
.aac |
.asx |
.s3db |
.nwb |
.hbk |
.craw |
.accdt |
.log |
.odc |
.xlr |
.thm |
.aspx |
.rwz |
.ns4 |
.gry |
.cib |
.accdr |
.hpp |
.nsh |
.xlam |
.srt |
.aoi |
.rwl |
.ns3 |
.grey |
.ce2 |
.accde |
.hdd |
.nsg |
.xla |
.save |
.accdb |
.rdb |
.ns2 |
.gray |
.ce1 |
.ab4 |
.groups |
.nsf |
.wps |
.safe |
.7zip |
.rat |
.nrw |
.fhd |
.cdrw |
.3pr |
.flvv |
.nsd |
.tga |
.rm |
.1cd |
.raf |
.nop |
.fh |
.cdr6 |
.3fr |
.edb |
.nd |
.rw2 |
.pwm |
.wab |
.qby |
.nk2 |
.ffd |
.cdr5 |
.vmxf |
.dit |
.mos |
.r3d |
.pages |
.prf |
.oab |
.msg |
.mapimail |
.jnt |
.dbx |
.contact |
|
|
|
|
Table 2: Added Target File Extensions
Every time Locky releases a new variant using a different encrypted file extension, it causes a degree of confusion among folks tracking these things. This may be due to the common practice of some security companies to base the names of ransom malware families on the extensions being used. This new Locky variant demonstrates that this naming method can sometimes be inaccurate ,and in such cases, deeper inspections are needed in more accurately identifying what malware families new variants belong to.
-= FortiGuard Lion Team =-
SHA256:
86d229d219a21ab8092839a4361d30977e56c78f0ada10b6d68363b2834dd1dc - W32/Locky.D!tr
Existence of the following files:
{directory}\_{number}_HOWDO_text.html
{Filename(alpha numeric characters)}.odin