Order from us for quality, customized work in due time of your choice.
History of Locky ransomware
Locky is a strain of the ransomware malware family. Discovered in mid-February 2016, this file-encrypting outbreak proved to be sophisticated enough to be undetectable under the radar of common antimalware defenses. It was the product of an organized group of hackers who are proficient in implementing cryptography, pulling a data-locking mechanism that security experts have yet to find a proper response for. The latter had the ability to encrypt over 160 file types when it was first launched. In 2016, Locky represented more than 76% of all malware distributed [1] and within 8 months since the discovery of Locky ransomware, 5 versions of the malware were already out harvesting ransom money.
Version 1.0
Scrambled victims filenames, turning each one into a string of 32 hexadecimal characters, and added the .locky extension. The filename could be written as 8469F0FE8432F4F84DCC48462F435454.locky and a ransom note named _Locky_recover_instructions.txt was found on the desktop.
Version 2.0
The second version was out in early August 2016 and the filenames were renamed into a string of 32 hexadecimal characters just like version 1.0, however, the name contained hyphens, separating the name into blocks and the file extension was now .zepto. The filename is written as 034BDC22-54D4-ABD4-F065-F642E772A851.zepto and a ransom note named _HELP_instructions.html. is placed on the desktop. Furthermore, the background of the desktop is changed to a BM version of the description manual. It had the ability to encrypt files even when the machine was not connected to the internet as the ransomware contained the keys used to encrypt data in its codes.
Version 3.0
The offline encryption was abolished in the third version. The filenames extension was now .odin and the ransom note found on the desktop was now renamed as _HOWDO_text.html. The installation method was modified; Locky was now being installed via an encrypted DLL installer.
Version 4.0
Offline encryption made a comeback in this version and the file extension was now .shit. The ransom notes were renamed as _WHAT_is.html.
Version 5.0
Less than 24 hours after the release of version 4.0, version 5.0 was released. The only difference was that the file extension was renamed from .shit to .thor. In August 2017, two new variants of the Locky ransomware were detected namely Diablo and Lukitus. They have the extension .diablo6 and .Lutikus respectively. The only difference from the Locky ransomware of 2016 was the way of distributing the malware.
Background of the attack
The attack starts when the victim receives a spam email with the malware files attached as .doc, .xls, or zip files. What attackers generally do is to use different names and attachments in every malicious e-mail, in order to dodge detection by security products. The email message contains a subject similar to ATTN: Invoice J-98223146 and a message such as ‘Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice’. An example of one of these emails can be seen below.
The files received contain macros that look like scrambled text. An example of one of these attachments can be seen below.
Once the victims enable macros by clicking on the enable content, the malicious software is downloaded from an infected website, stored in the %Temp% folder, and starts to execute encrypting the victims files. The time between the download and the execution of the malicious code is just a few seconds. The malware usually attacks local drives; fixed, removable, and RAM disks. Network resources are also attacked on some versions. Encrypted files are given a new filename to a unique 16-letter and digit combination with different file extensions such as .diablo6, .locky, .odin, .zepto, .aesir, .thor or .osiris depending on the version of the locky ransomware. The files that are encrypted are now inaccessible to the victim. Locky ransomware searches mostly for files with the following extension to encrypt: .pdf, .rar, .bat, .mpeg, .qcow2, .vmdk .tar.bz2, .djvu, .jpeg, .tiff, .class, .java, .SQLITEDB, .SQLITE3, .lay6, .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .potx, .potm, .pptx, .pptm, .xltx, .xltm, .xlsx, .xlsm .asm, .c, .cpp, .h, .png, txt, .cs, .gif, .jpg, .rtf, .xml, .zip, .asc, .xlsb, .dotm, .dotx, .docm, .docx, wallet.dat, etc. However, Locky will skip any files where the full pathname and filename contain one of the following strings: tmp, WinNT, Application Data, AppData, Program Files (x86), Program Files, temp, and thumbs.db, $Recycle.Bin, System Volume Information, Boot, Windows. As part of the encryption process, Locky will also delete all of the Shadow Volume Copies on the machine so that they cannot be used to restore the victim’s files. Locky does this by executing the following command: vssadmin.exe Delete Shadows /All /Quiet After the encryption process, Locky ransomware displays a ransom note found on the desktop and in all folders where the files have been encrypted. The wallpaper of the desktop is also modified according to the version of the ransomware. The wallpaper is a bitmap of the contents of the ransom note. The victim is also provided with a webpage that contains instructions on how to proceed with the payment of the ransom.
Locky ransomware stores various information in the registry under the following keys: HKCUSoftwareLockyid – The unique ID assigned to the victim. ” HKCUSoftwareLockypubkey – The RSA public key. ” HKCUSoftwareLockypaytext – The text that is stored in the ransom notes. ” HKCUSoftwareLockycompleted – Whether the ransomware finished encrypting the computer Inside the Locky ransom notes are links to a Tor site called the Locky Decrypter Page. This page is located at 6dtxgqam4crv6rr6.onion and contains the number of bitcoins to send as payment
Order from us for quality, customized work in due time of your choice.