Like a game of cat and mouse, the perpetrators behind the Locky ransomware had updated their arsenal yet again with a new tactic—using Windows Scripting File (WSF) for the arrival method. WSF is a file that allows the combination of multiple scripting languages within a single file. Using WSF makes the detection and analysis of ransomware challenging since WSF files are not among the list of typical files that traditional endpoint solutions monitor for malicious activity.
However, the use of WSF files is no longer a novel idea since the same tactic was used in Cerber’s email campaign in May 2016. It would seem that the attackers behind Locky followed Cerber in using WSF files after seeing how such a tactic was successful in bypassing security measures like sandbox and blacklisting technologies.
Arrival method and social engineering lures
For the entry point, this Locky variant uses spam emails with .ZIP file attachments that contain WSF files. With email subject lines such as, “bank account record”, “annual report” and “company database” we believe that attackers are possibly targeting companies. We also noticed how most of these spammed emails were sent between 9 a.m. – 11 a.m. (UTC), a time when employees in European countries are starting their day at work. In addition, our data showed that there had been a high volume of spam runs during the weekdays and then a decreased volume during the weekends.
Figure 1. Sample of a spammed email message
Figure 2. Volume of spam emails with WSF attachments (July 13-Aug 3, 2016)
Figure 3. Number of spam emails sent per hour from July 25-29, 2016
Interestingly, we found a spam sample with the subject, “Voicemail from Anonymous.” This could mean that cybercriminals are taking advantage of the popularity of Anonymous. On the other hand,“Anonymous” could also simply refer to an unknown person.
Figure 4. Spammed email with the subject, Voicemail from Anonymous
The first wave of this spam campaign was seen on July 15—with each email originating from different IP addresses. The countries that sent out the initial spam run were Serbia, Colombia, and Vietnam. Then another wave of spam runs were seen on July 18 and 19, with emails coming from countries such as Thailand and Brazil.
The WSF files are employed as downloaders of the actual ransomware. Such a technique allows this threat to bypass security measures, including sandbox analysis, since it has no static file type. In addition, using blended scripting languages could result to the samples being encoded, making these arduous to analyze.
Figure 5. This malware has properties posing as a Yahoo Widget.
Figure 6. The ransomware downloaded by WSF has different file names and hashes.
Probing deeper into the threat
Analysis of this ransomware shows how it uses a registry key to determine the system’s language before displaying the ransom notes. For example, if the default machine language is English, then it shows ransom notes in English. This particular behavior of primarily determining the system’s language was also seen in JIGSAW and CRYPTLOCK, as well as in Police ransomware or REVETON.
Figure 7. This malware queries the machine language before displaying the ransom notes.
Figure 8. Ransom notes in English
Figure 9. Ransom notes in Brazilian Portuguese
For the command-and-control (C&C) communication, this threat used the SSH protocol or openVPN to encrypt the network traffic. One of the C&C servers is from the Deep Web via the Tor site, zjfq4lnfbs7pncr5[.]onion[.]to.
Like any Locky variants, the file extension is changed to .ZEPTO after all the files are encrypted. In addition, Locky also uses native APIs to change the file extension to .ZEPTO.
The developers of this new Locky variant seem to be coming from Brazil as we were able to spot this threat being sold in the Brazilian underground market. We also found someone (with the alias unknown_antisec) using Facebook to share this blog post (originally posted in Trend Micro blog in Brazil) that discussed our findings about the Brazilian underground. That particular user also included a caption in Brazilian Portuguese that can be translated to, “Sup dog, they’ve got you ransomware.” Brazilian cybercriminals typically use social media or the surface web to advertise their products and services.
A multilayered defense strategy
Due to the possibility that WSF files can bypass traditional bypass and sandbox analysis, it is best to stop this new breed of Locky at the exposure layer. We are able to protect our customers at the gateway level by detecting Locky-related spam emails and stripping the emails with WSF attachments –thus preventing the malicious file from executing. Our sandbox is also capable of preventing the malware from running on the system since these new tactics associated with ransomware had already been detected.
Trend Micro offers solutions that protect users and organizations in all aspects –at the gateway, endpoints, networks, and even servers.
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.Network Traffic ScanningMalware SandboxLateral Movement Prevention
Trend Micro Deep Security™ detects and stops suspicious network activity and shields servers and applications from exploits.Webserver ProtectionVulnerability ShieldingLateral Movement Prevention
PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
Protection for Small-Medium Businesses
Trend Micro Worry-Free™ Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.Ransomware behavior monitoringIP/Web Reputation
Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.IP/Web ReputationRansomware Protection
Related SHA1 hashes:
Additional insights and data by Franklynn Uy and Jon Oliver