
Like a game of cat and mouse, the perpetrators behind the Locky ransomware had updated their arsenal yet again with a new tactic—using Windows Scripting File (WSF) for the arrival method. WSF is a file that allows the combination of multiple scripting languages within a single file. Using WSF makes the detection and analysis of ransomware challenging since WSF files are not among the list of typical files that traditional endpoint solutions monitor for malicious activity.
However, the use of WSF files is no longer a novel idea since the same tactic was used in Cerber’s email campaign in May 2016. It would seem that the attackers behind Locky followed Cerber in using WSF files after seeing how such a tactic was successful in bypassing security measures like sandbox and blacklisting technologies.
Arrival method and social engineering lures
For the entry point, this Locky variant uses spam emails with .ZIP file attachments that contain WSF files. With email subject lines such as, “bank account record”, “annual report” and “company database” we believe that attackers are possibly targeting companies. We also noticed how most of these spammed emails were sent between 9 a.m. – 11 a.m. (UTC), a time when employees in European countries are starting their day at work. In addition, our data showed that there had been a high volume of spam runs during the weekdays and then a decreased volume during the weekends.
Figure 1. Sample of a spammed email message
Figure 2. Volume of spam emails with WSF attachments (July 13-Aug 3, 2016)
Figure 3. Number of spam emails sent per hour from July 25-29, 2016
Interestingly, we found a spam sample with the subject, “Voicemail from Anonymous.” This could mean that cybercriminals are taking advantage of the popularity of Anonymous. On the other hand,“Anonymous” could also simply refer to an unknown person.
Figure 4. Spammed email with the subject, Voicemail from Anonymous
The first wave of this spam campaign was seen on July 15—with each email originating from different IP addresses. The countries that sent out the initial spam run were Serbia, Colombia, and Vietnam. Then another wave of spam runs were seen on July 18 and 19, with emails coming from countries such as Thailand and Brazil.
Why WSF?
The WSF files are employed as downloaders of the actual ransomware. Such a technique allows this threat to bypass security measures, including sandbox analysis, since it has no static file type. In addition, using blended scripting languages could result to the samples being encoded, making these arduous to analyze.
Similar with using VBScript and JavaScript, WSF makes it possible for attackers to download any malware payload. In the case of Locky, the actual ransomware downloaded by these WSF files have different hashes. When downloaded files have different hashes, detecting them via blacklisting becomes difficult. The samples we analyzed have properties of a “Yahoo Widget” file to pass it off as legitimate.
Figure 5. This malware has properties posing as a Yahoo Widget.
Figure 6. The ransomware downloaded by WSF has different file names and hashes.
Probing deeper into the threat
Analysis of this ransomware shows how it uses a registry key to determine the system’s language before displaying the ransom notes. For example, if the default machine language is English, then it shows ransom notes in English. This particular behavior of primarily determining the system’s language was also seen in JIGSAW and CRYPTLOCK, as well as in Police ransomware or REVETON.
Figure 7. This malware queries the machine language before displaying the ransom notes.
Figure 8. Ransom notes in English
Figure 9. Ransom notes in Brazilian Portuguese
For the command-and-control (C&C) communication, this threat used the SSH protocol or openVPN to encrypt the network traffic. One of the C&C servers is from the Deep Web via the Tor site, zjfq4lnfbs7pncr5[.]onion[.]to.
Like any Locky variants, the file extension is changed to .ZEPTO after all the files are encrypted. In addition, Locky also uses native APIs to change the file extension to .ZEPTO.
The developers of this new Locky variant seem to be coming from Brazil as we were able to spot this threat being sold in the Brazilian underground market. We also found someone (with the alias unknown_antisec) using Facebook to share this blog post (originally posted in Trend Micro blog in Brazil) that discussed our findings about the Brazilian underground. That particular user also included a caption in Brazilian Portuguese that can be translated to, “Sup dog, they’ve got you ransomware.” Brazilian cybercriminals typically use social media or the surface web to advertise their products and services.
A multilayered defense strategy
Locky ransomware continues to evolve—from using macros, JavaScript and VBScript to WSF. With this file type, it can, by default, combine any scripting language like JScript, which was previously used by RAA for obfuscation purposes.
Due to the possibility that WSF files can bypass traditional bypass and sandbox analysis, it is best to stop this new breed of Locky at the exposure layer. We are able to protect our customers at the gateway level by detecting Locky-related spam emails and stripping the emails with WSF attachments –thus preventing the malicious file from executing. Our sandbox is also capable of preventing the malware from running on the system since these new tactics associated with ransomware had already been detected.
Trend Micro offers solutions that protect users and organizations in all aspects –at the gateway, endpoints, networks, and even servers.
PROTECTION FOR ENTERPRISES
-
Email and Gateway Protection
Trend Micro Cloud App Security, Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security address ransomware in common delivery methods such as email and web.
Spear phishing protectionMalware SandboxIP/Web ReputationDocument exploit detection
-
Endpoint Protection
Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.
Ransomware Behavior MonitoringApplication ControlVulnerability ShieldingWeb Security
-
Network Protection
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.
Network Traffic ScanningMalware SandboxLateral Movement Prevention
-
Server Protection
Trend Micro Deep Security™ detects and stops suspicious network activity and shields servers and applications from exploits.
Webserver ProtectionVulnerability ShieldingLateral Movement Prevention
PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
-
Protection for Small-Medium Businesses
Trend Micro Worry-Free™ Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.
Ransomware behavior monitoringIP/Web Reputation
-
Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.
IP/Web ReputationRansomware Protection
Related SHA1 hashes:
JS_LOCKY.DLDVEF
- 0A17D419461F2A7A722F4E15C2760D182626E698
- 0B4396BD30F65B74CE38F7F8F6B7BC1E451FBCCC
- 0C82F9EBC4ACE5D6FD62C04972CF6A56AA022BFD
- 21DCA77E6EF9E89C788EE0B592C22F5448DE2762
- 288C7C4FA2FC2A36E532F938B1DC18E4918A0E36
- 69DA16CB954E8E48CEA4B64A6BBC267ED01AB2B3
- 6A9B6AE21C5F5E560591B73D0049F6CA2D720122
- 752AB2146016BCAFBFE17F710D61D3AD3822F849
- 8BDC38B005E09B34C1BCE94529158DE75408E905
- B8B79E8BAF39E0E7616170216B25C1505974F42C
- 5994eb7696e11818d01bc7447adcf9ec5c1c5f13
- 936ac2f42a1a641d52ba8078c42f5879e2dd41a0
- 0b7b2ba3c35e334bf5bc13929c77ecaf51758e2b
- 3bc8656186ee93d25173ba0f3c07a9cced23e7cd
- 08f1565514122c578da05cbf8b50ee9dcfa41af6
- 4641fb72aaf1461401490eaf1916de4103bbece5
- 3790c8bc8e691c79d80e458ba5e5c80b0b12a0c8
- 91762a5406e5291837ed259cd840cf4d22a2ddfa
- 005cc479faa2324625365bde7771096683312737
- eb01089b3625d56d50e8768e94cfef1c84c25601
JS_LOCKY.DLDVEJ
- 812FBF9E30A7B86C4A72CCA66E1D2FC57344BB09
- AE78A7B67CB5D3C92406CFA9F5FB38ADC8015FDF
- 0e76d8fd54289043012a917148dacda0730e4d88
- c76222e1206bad8e9a4a6f4867b2e235638a4c4c
JS_LOCKY.DLDVEL
- A2420F7806B3E00DB9608ABF80EE91A2447F68AD
- A94CE98BCC9A130AA88E9655672497C701BDA4A5
- fc591d83cdebe57b60588f59466ec3b12283cc2c
- 719f0d406038b932805d338f929d12c899ec97e1
JS_LOCKY.DLDVEP
- DA0FD77C60A2C9A53985A096BDAE1BEF89034A01
- 56dd1d2b944dae25e87a2f9b7d6c653b2ece4486
RANSOM_LOCKY.DLDVEO
- 180BDD12C3EE6D8F0A2D47DDAAD5A2DAA513883E
- 2C62F7B01DD423CEF488100F7C0CA440194657D9
- 6DECCBB36F4E83834985FE49FC235683CF90F054
- E2D94F69134D97C71F2B70FC0A3558B30637E46D
- E3E49BF06CD03FB0EA687507931927E32E0A5A1C
RANSOM_LOCKY.DLDVEF
- 22DE960D38310643C3E68C2BA8EC68D855B43EBD
RANSOM_LOCKY.DLDVEL
- 5A044104A6EED7E343814B3E0FC2DB535C515EA2
- 9BA7499C98E2B52303912352E1ACA694552E0E86
- 9F48FA841FC8B0E945C43DB5B18B37BDF2DA8F5B
RANSOM_HPLOCKY.SM2
- 3329FB8FD5E664CCDE59E12E608E0BCE3EF95225
- 5BE1DE4A018B746953381EA400278D25E7C3D024
- B2D1E7860F617014E0546B9D48450F221FE118EC
- BB8ABA09BC9B97C7358B62F2FF016D05955A5967
RANSOM_HPLOCKY.SM3
- 1A46C45A443B1C10EAA9AA317CD343B83160828F
- A2899353B237E08A7570C674D05D326D43173231
- D8FF29CFF5341B361CA3CEE67EABBD22698DAA2B
RANSOM_LOCKY.F116GT
- 565951232E4A1D491D932C916BC534E8FB02B29B
RANSOM_LOCKY.F116GS
- E362B04FE7F26663D7D43DD829D3C4310B2FC699
RANSOM_LOCKY.SMA6
- 6014A6AFDF09EDEB927A9A6A4E0DF591D72B1899
- DCDB228D515F08673542B89ABB86F36B3B134D72
Additional insights and data by Franklynn Uy and Jon Oliver