New Locky Ransomware Spotted in the Brazilian Underground Market, Uses Windows Script Files

Like a game of cat and mouse, the perpetrators behind the Locky ransomware had updated their arsenal yet again with a new tactic—using Windows Scripting File (WSF) for the arrival method. WSF is a file that allows the combination of multiple scripting languages within a single file. Using WSF makes the detection and analysis of ransomware challenging since WSF files are not among the list of typical files that traditional endpoint solutions monitor for malicious activity.

However, the use of WSF files is no longer a novel idea since the same tactic was used in Cerber’s email campaign in May 2016. It would seem that the attackers behind Locky followed Cerber in using WSF files after seeing how such a tactic was successful in bypassing security measures like sandbox and blacklisting technologies.

Arrival method and social engineering lures

For the entry point, this Locky variant uses spam emails with .ZIP file attachments that contain WSF files.  With email subject lines such as, “bank account record”, “annual report” and “company database” we believe that attackers are possibly targeting companies. We also noticed how most of these spammed emails were sent between 9 a.m. – 11 a.m. (UTC), a time when employees in European countries are starting their day at work. In addition, our data showed that  there had been a high volume of spam runs during the weekdays and then a decreased volume during the weekends.

Figure 1. Sample of a spammed email message

Figure 2. Volume of spam emails with WSF attachments (July 13-Aug 3, 2016)

Figure 3. Number of spam emails sent per hour from July 25-29, 2016

Interestingly, we found a spam sample with the subject, “Voicemail from Anonymous.” This could mean that cybercriminals are taking advantage of the popularity of Anonymous. On the other hand,“Anonymous” could also simply refer to an unknown person.

Figure 4. Spammed email with the subject, Voicemail from Anonymous

The first wave of this spam campaign was seen on July 15—with each email originating from different IP addresses. The countries that sent out the initial spam run were Serbia, Colombia, and Vietnam. Then another wave of spam runs were seen on July 18 and 19, with emails coming from countries such as Thailand and Brazil.

Why WSF?

The WSF files are employed as downloaders of the actual ransomware. Such a technique allows this threat to bypass security measures, including sandbox analysis, since it has no static file type. In addition, using blended scripting languages could result to the samples being encoded, making these arduous to analyze.

Similar with using VBScript and JavaScript, WSF makes it possible for attackers to download any malware payload. In the case of Locky, the actual ransomware downloaded by these WSF files have different hashes. When  downloaded files have different hashes, detecting them via blacklisting becomes difficult.  The samples we analyzed have properties of a “Yahoo Widget” file to pass it off as legitimate.

Figure 5. This malware has properties posing as a Yahoo Widget.

Figure 6. The ransomware downloaded by WSF has different file names and hashes.

Probing deeper into the threat

Analysis of this ransomware shows how it uses a registry key to determine the system’s language before displaying the ransom notes. For example, if the default machine language is English, then it shows ransom notes in English. This particular behavior of primarily determining the system’s language was also seen in JIGSAW and CRYPTLOCK, as well as in Police ransomware or REVETON.

Figure 7. This malware queries the machine language before displaying the ransom notes.

Figure 8.  Ransom notes in English

Figure 9. Ransom notes in Brazilian Portuguese

For the command-and-control (C&C) communication, this threat used the SSH protocol or openVPN to encrypt the network traffic. One of the C&C servers is from the Deep Web via the Tor site, zjfq4lnfbs7pncr5[.]onion[.]to.

Like any Locky variants, the file extension is changed to .ZEPTO after all the files are encrypted. In addition, Locky also uses native APIs to change the file extension to .ZEPTO.

The developers of this new Locky variant seem to be coming from Brazil as we were able to spot this threat being sold in the Brazilian underground market. We also found someone (with the alias unknown_antisec) using Facebook to share this blog post (originally posted in Trend Micro blog in Brazil) that discussed our findings about the Brazilian underground. That particular user also included a caption in Brazilian Portuguese that can be translated to, “Sup dog, they’ve got you ransomware.” Brazilian cybercriminals typically use social media or the surface web to advertise their products and services.

A multilayered defense strategy

Locky ransomware continues to evolve—from using macros, JavaScript and VBScript to WSF. With this file type, it can, by default, combine any scripting language like JScript, which was previously used by RAA for obfuscation purposes.

Due to the possibility that WSF files can bypass traditional bypass and sandbox analysis, it is best to stop this new breed of Locky at the exposure layer. We are able to protect our customers at the gateway level by detecting Locky-related spam emails and stripping the emails with WSF attachments –thus preventing the malicious file from executing. Our sandbox is also capable of preventing the malware from running on the system since these new tactics associated with ransomware had already been detected.

Trend Micro offers solutions that protect users and organizations in all aspects –at the gateway, endpoints, networks, and even servers.

Related SHA1 hashes: 

JS_LOCKY.DLDVEF

• 0A17D419461F2A7A722F4E15C2760D182626E698
• 0B4396BD30F65B74CE38F7F8F6B7BC1E451FBCCC
• 0C82F9EBC4ACE5D6FD62C04972CF6A56AA022BFD
• 21DCA77E6EF9E89C788EE0B592C22F5448DE2762
• 288C7C4FA2FC2A36E532F938B1DC18E4918A0E36
• 69DA16CB954E8E48CEA4B64A6BBC267ED01AB2B3
• 6A9B6AE21C5F5E560591B73D0049F6CA2D720122
• 752AB2146016BCAFBFE17F710D61D3AD3822F849
• 8BDC38B005E09B34C1BCE94529158DE75408E905
• B8B79E8BAF39E0E7616170216B25C1505974F42C
• 5994eb7696e11818d01bc7447adcf9ec5c1c5f13
• 936ac2f42a1a641d52ba8078c42f5879e2dd41a0
• 0b7b2ba3c35e334bf5bc13929c77ecaf51758e2b
• 3bc8656186ee93d25173ba0f3c07a9cced23e7cd
• 08f1565514122c578da05cbf8b50ee9dcfa41af6
• 4641fb72aaf1461401490eaf1916de4103bbece5
• 3790c8bc8e691c79d80e458ba5e5c80b0b12a0c8
• 91762a5406e5291837ed259cd840cf4d22a2ddfa
• 005cc479faa2324625365bde7771096683312737
• eb01089b3625d56d50e8768e94cfef1c84c25601

JS_LOCKY.DLDVEJ

• 812FBF9E30A7B86C4A72CCA66E1D2FC57344BB09
• AE78A7B67CB5D3C92406CFA9F5FB38ADC8015FDF
• 0e76d8fd54289043012a917148dacda0730e4d88
• c76222e1206bad8e9a4a6f4867b2e235638a4c4c

JS_LOCKY.DLDVEL

• A2420F7806B3E00DB9608ABF80EE91A2447F68AD
• A94CE98BCC9A130AA88E9655672497C701BDA4A5
• fc591d83cdebe57b60588f59466ec3b12283cc2c
• 719f0d406038b932805d338f929d12c899ec97e1

JS_LOCKY.DLDVEP

• DA0FD77C60A2C9A53985A096BDAE1BEF89034A01
• 56dd1d2b944dae25e87a2f9b7d6c653b2ece4486

RANSOM_LOCKY.DLDVEO

• 180BDD12C3EE6D8F0A2D47DDAAD5A2DAA513883E
• 2C62F7B01DD423CEF488100F7C0CA440194657D9
• 6DECCBB36F4E83834985FE49FC235683CF90F054
• E2D94F69134D97C71F2B70FC0A3558B30637E46D
• E3E49BF06CD03FB0EA687507931927E32E0A5A1C

RANSOM_LOCKY.DLDVEF

• 22DE960D38310643C3E68C2BA8EC68D855B43EBD

RANSOM_LOCKY.DLDVEL

• 5A044104A6EED7E343814B3E0FC2DB535C515EA2
• 9BA7499C98E2B52303912352E1ACA694552E0E86
• 9F48FA841FC8B0E945C43DB5B18B37BDF2DA8F5B

RANSOM_HPLOCKY.SM2

• 3329FB8FD5E664CCDE59E12E608E0BCE3EF95225
• 5BE1DE4A018B746953381EA400278D25E7C3D024
• B2D1E7860F617014E0546B9D48450F221FE118EC
• BB8ABA09BC9B97C7358B62F2FF016D05955A5967

RANSOM_HPLOCKY.SM3

• 1A46C45A443B1C10EAA9AA317CD343B83160828F
• A2899353B237E08A7570C674D05D326D43173231
• D8FF29CFF5341B361CA3CEE67EABBD22698DAA2B

RANSOM_LOCKY.F116GT

• 565951232E4A1D491D932C916BC534E8FB02B29B

RANSOM_LOCKY.F116GS

• E362B04FE7F26663D7D43DD829D3C4310B2FC699

RANSOM_LOCKY.SMA6

• 6014A6AFDF09EDEB927A9A6A4E0DF591D72B1899
• DCDB228D515F08673542B89ABB86F36B3B134D72

Additional insights and data by Franklynn Uy and Jon Oliver