Threat Research

The Locky Saga Continues: Now Uses .odin as File Extension

By Joie Salvio and Floser Bacurio Jr. | October 03, 2016

As a result of our continuous monitoring of the Locky ransomware we discovered a new Locky variant. This variant now appends a “.odin” extension to its encrypted files. This is now the third time that the extension has been changed. Aside from this, in this report we will also examine some of its other minor updates.

It’s not Odin. It’s Locky     

The transition from “.locky” to “.zepto” extension has caused some confusion to the malware research scene. Due to this update, some researchers identified Zepto as a new ransomware family, when in fact, it’s just a new variant of the infamous Locky ransomware. Hopefully, the following details on their similarities can help ease this confusion and serve as proof that they are of the same family. Using the IDA plugin BinDiff, an executable-comparison tool, we are able to confirm this.

As shown in Figure 1, when comparing full EXE-binaries of .zepto and .locky, BinDiff scored it with a striking 85% similarity. These similarities are almosy entirely comprised of their main malicious functions. One of these functions, the file encryption routine, has a 98% similarity score. A closer look of this function is shown in Figure 2.

Figure 1: .Zepto And .Locky EXE binary comparison

Figure 2: Comparison of File Encryption Function

 

The similarities between these two variants confirm that they belong to the same family. Using this same analysis method, we were able to prove that “.zepto” and “.odin” are of the same family, which means that .odin is also Locky variant. As in mathematics, this is called the transitive property of equality. If Z = L and Z = O then L = O

As it turns out, the similarities between their DLL binaries are even more apparent. As shown in Figure 3, they score a 99% similarity.

Figure 3: .Zepto and .Odin DLL binary Comparison

 

Some Other Minor Changes

The following table shows the changes in ransomware note filenames for each Locky variant:

.Locky

.Zepto

.Odin

_HELP_instructions.html

_HELP_instructions.html (old)

_{number}_HOWDO_text.html

 

_{number}_HELP_instructions.html (new)

 

 

Table 1: Ransom Note Filename Changes

Note the prepended numbers on the new variants. At first glance, they would seem to be just random numbers. However, upon code analysis, they were discovered to be a sequence index for the affected directories (first infected directory:0, second directory:1, … and so on).

Interestingly, no notable changes were observed on the ransom payment page. For this variant, it asks for 1.5BTC, although based on research, this price ranges from 0.5 to 3.0BTC.

Figure 4: Locky Payment Page

In addition to these rather minor updates, Locky has also increased the chance of hitting more important files by doubling (from 194 to 460) the list of file types targeted for encryption. Here are the new additions to the list:

.yuv

.qbx

.ndd

.exf

.cdr4

.vmsd

.dat

.indd

.pspimage

.obj

.ycbcra

.qbw

.mrw

.erf

.cdr3

.vhdx

.cmt

.iif

.ps

.mlb

.xis

.qbr

.moneywell

.erbsql

.bpw

.vhd

.bin

.fpx

.pct

.md

.x3f

.qba

.mny

.eml

.bgt

.vbox

.aiff

.fff

.pcd

.mbx

.x11

.py

.mmw

.dxg

.bdb

.stm

.xlk

.fdb

.m4v

.lit

.wpd

.psafe3

.mfw

.drf

.bay

.st7

.wad

.dtd

.m

.laccdb

.tex

.plc

.mef

.dng

.bank

.rvt

.tlg

.design

.fxg

.kwm

.sxg

.plus_muhd

.mdc

.dgc

.backupdb

.qcow

.st6

.ddd

.flac

.idx

.stx

.pdd

.lua

.des

.backup

.qed

.st4

.dcr

.eps

.html

.st8

.p7c

.kpdx

.der

.back

.pif

.say

.dac

.dxb

.flf

.st5

.p7b

.kdc

.ddrw

.awg

.pdb

.sas7bdat

.cr2

.drw

.dxf

.srw

.oth

.kdbx

.ddoc

.apj

.pab

.qbm

.cdx

.db3

.dwg

.srf

.orf

.kc2

.dcs

.ait

.ost

.qbb

.cdf

.cpi

.dds

.sr2

.odm

.jpe

.dc2

.agdl

.ogg

.ptx

.blend

.cls

.css

.sqlite

.odf

.incpas

.db_journal

.ads

.nvram

.pfx

.bkp

.cdr

.config

.sdf

.nyf

.iiq

.csl

.adb

.ndf

.pef

.al

.arw

.cfg

.sda

.nxl

.ibz

.csh

.acr

.m4p

.pat

.adp

.ai

.cer

.sd0

.nx2

.ibank

.crw

.ach

.m2ts

.oil

.act

.aac

.asx

.s3db

.nwb

.hbk

.craw

.accdt

.log

.odc

.xlr

.thm

.aspx

.rwz

.ns4

.gry

.cib

.accdr

.hpp

.nsh

.xlam

.srt

.aoi

.rwl

.ns3

.grey

.ce2

.accde

.hdd

.nsg

.xla

.save

.accdb

.rdb

.ns2

.gray

.ce1

.ab4

.groups

.nsf

.wps

.safe

.7zip

.rat

.nrw

.fhd

.cdrw

.3pr

.flvv

.nsd

.tga

.rm

.1cd

.raf

.nop

.fh

.cdr6

.3fr

.edb

.nd

.rw2

.pwm

.wab

.qby

.nk2

.ffd

.cdr5

.vmxf

.dit

.mos

.r3d

.pages

.prf

.oab

.msg

.mapimail

.jnt

.dbx

.contact

 

 

 

 

 

Table 2: Added Target File Extensions

Final Thoughts

Every time Locky releases a new variant using a different encrypted file extension, it causes a degree of confusion among folks tracking these things. This may be due to the common practice of some security companies to base the names of ransom malware families on the extensions being used. This new Locky variant demonstrates that this naming method can sometimes be inaccurate ,and in such cases, deeper inspections are needed in more accurately identifying what malware families new variants belong to.

 

-= FortiGuard Lion Team =-

IOCs

SHA256:

86d229d219a21ab8092839a4361d30977e56c78f0ada10b6d68363b2834dd1dc - W32/Locky.D!tr

 

Existence of the following files:

{directory}\_{number}_HOWDO_text.html

{Filename(alpha numeric characters)}.odin