Additional analysis and information by Jaaziel Carlos.
The Locky ransomware family has emerged as one of the most prominent ransomware families to date, being sold in the Brazilian underground and spreading via various exploits. Locky has, over time, become known for using a wide variety of tactics to spread–including macros, VBScript, WSF files, and now, DLLs.
Recently we encountered a new Locky variant (detected as RANSOM_LOCKY.F116HM) that used old tactics on the surface, but with some key technical changes. The emails that were used to distribute it were fairly pedestrian as far as these messages go, although it was part of a large-scale spam campaign.
Figure 1. Locky ransomware spam
The .js files contained inside the .ZIP attachments are heavily obfuscated–again, as is the norm:
After de-obfuscation, we can see that the code does several things:
- Save the downloaded file content to %temp%
- Using XOR with a pseudo-random number generator (PRNG) to decrypt the downloaded file and save the decrypted results as xxxx.dll
- Using rundll32.exe to run the malicious DLL, which will result in the ransom note being displayed and the user’s files being encrypted.
In effect, the attacker created his own stream cipher as his source of a pseudorandom key stream. All PRNGs rely on an initial value (known as the seed) to set the generator’s initial state. In a normal cryptographic implementation, so long as this value is non-constant and the PRNG is well designed, the stream cipher will be sufficiently “random”.
Figure 3. XOR and PRNG decryption code
Creating a PRNG is a sufficiently difficult task, which is why the attacker chose to “borrow” one instead. He took the reference implementation of the Ultra-High Entropy PRNG (UHE PRNG), made some small modifications to the code, and used it in his .js file. The code used appears to be an almost direct copy of parts of the Windows scripting implementation of the UHE PRNG code.
Figure 4. UHE PRNG function
Figure 5. Rundll32.exe running the Locky DLL, with parameters
The behavior of the actual ransomware is essentially unchanged from previous Locky variants.
Figure 6. Locky ransom note
Using a DLL file in this way represents an attempt to try and evade behavior monitoring features that are now part of modern endpoint security products. Running as a DLL prevents a new process from being started, making it harder to detect. Other ransomware families (like CrypMIC/CryptXXX) have used this tactic as well, although for Locky this is new.
The use of encryption is also meant to strengthen this malware’s ability to hide itself. Without receiving the right parameters from the downloader, no actual malicious file is actually decrypted (and theoretically, detected).
Trend Micro is already able to protect users against this threat. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery™ Email Inspector, can be used to detect this threat by its behavior without any engine or pattern updates.
Trend Micro offers solutions that protect users and organizations in all aspects –at the gateway, endpoints, networks, and even servers.
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.Network Traffic ScanningMalware SandboxLateral Movement Prevention
Trend Micro Deep SecurityTM detects and stops suspicious network activity and shields servers and applications from exploits.Webserver ProtectionVulnerability ShieldingLateral Movement Prevention
PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
Protection for Small-Medium Businesses
Trend Micro Worry-FreeTM Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.Ransomware behavior monitoringIP/Web Reputation
Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.IP/Web ReputationRansomware Protection
The SHA256 hashes of files related to this threat are:
The malicious URLs related to this attack are: