Therefore, SwordLea 2016/02/22
0 x00 overview
Antian Security Research and Emergency Response Center (Antian CERT) discovered a new ransomware family named Locky that encrypts more than 100 file types using RSA-2048 and AES-128 algorithms, At the same time, release a blackmail prompt file named _locky_recover_instructions. TXT in each directory where encrypted files exist. After analysis by the researchers of Antan CERT, it was found that this was a kind of ransomware spread by spam, and it was the first bitcoin ransomware with Chinese prompt.
0x01 Sample analysis
1.1 Sample Label
The virus name | Trojan/Win32.Locky.a |
Original file name | ladybi.exe |
MD5 | FB6CA1CD232151D667F6CD2484FEE8C8 |
Processor architecture | X86-32 |
The file size | 180 KB (184,320 bytes) |
The file format | BinExecute/Microsoft.EXE[:X86] |
The time stamp | 42B63E17->2005-06-20 11:55:03 |
A digital signature | NO |
Add case type | There is no |
Compiled languages | Microsoft Visual c + + 6.0 |
VT First upload time | The 2016-02-16 10:53:39 |
VT test results | 41/55 |
1.2 Sample Function
The ransomware, known as Locky, uses data kidnapping to extort money from users. It encrypts more than 100 file types using RSA-2048 and AES-128 algorithms, and at the same time releases a blackmail prompt file named _Locky_recover_instructions. TXT in each directory where encrypted files exist.
Local behavior of the “Locky” sample: copy itself to the system temporary directory %Temp% and rename it svchost; Traverses the files in the system to determine whether the file suffix is in the built-in list of the sample. If it exists, the sample is encrypted. Create the prompt file _locky_recover_instructions.txt in multiple folders; Create the file _locky_recover_instructions.bmp on your desktop. The file is set as the desktop background to prompt the user how to successfully recover the encrypted file. Add related registry key values; Example Delete a system restoration snapshot.
Copy itself to the %Temp% directory named svchost.exe and add the boot option.
Encrypt hundreds of file types as follows:
.m4u .m3u .mid .wma .flv .3g2 .mkv .3gp .mp4 .mov .avi .asf .mpeg .vob .mpg .wmv .fla .swf .wav .mp3 .qcow2 .vdi .vmdk .vmx .gpg .aes .ARC .PAQ .tar.bz2 .tbk .bak .tar .tgz .gz .7z .rar .zip .djv .djvu .svg .bmp .png .gif .raw .cgm .jpeg .jpg .tif .tiff .NEF .psd .cmd .bat .sh .class .jar .java .rb .asp .cs .brd .sch .dch .dip .pl .vbs .vb .js .asm .pas .cpp .php .ldf .mdf .ibd .MYI .MYD .frm .odb .dbf .db .mdb .sql .SQLITEDB .SQLITE3 .asc .lay6 .lay .ms11 .sldm .sldx .ppsm .ppsx .ppam .docb .mml .sxm .otg .odg .uop .potx .potm .pptx .pptm .std .sxd .pot .pps .sti .sxi .otp .odp .wb2 .123 .wks .wk1 .xltx .xltm .xlsx .xlsm .xlsb .slk .xlw .xlt .xlm .xlc .dif .stc .sxc .ots .ods .hwp .602 .dotm .dotx .docm .docx .DOT .3dm .max .3ds .xml .txt .CSV .uot .RTF .pdf .XLS .PPT .stw .sxw .ott .odt .DOC .pem .p12 .csr .crt .key
Do not encrypt files whose path and filename contain the following strings:
tmp, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, Windows
Registry key added by “Locky” :
#! bash HKCU\Software\Locky HKCU\Software\Locky\id HKCU\Software\Locky\pubkey HKCU\Software\Locky\paytext HKCU\Software\Locky\completed HKCU\Control Panel\Desktop\Wallpaper "%UserProfile%\Desktop\_Locky_recover_instructions.bmp"Copy the code
Example Delete a system restoration snapshot
Delete All shadow copies by calling vssadmin.exe Delete Shadows /All /Quiet so that the victim system cannot use shadow copies to restore the system.
Network behavior:
- Send partial information about the infected machine to the C&C server.
- Download the RSA public key from the C&C server in preparation for subsequent encryption.
- Upload a list of files to be encrypted.
- Obtain prompts from the server based on the system language.
1.3 Related Technologies
1.3.1 Domain name Generation Algorithm
The “Locky” sample first uses RDTSC to get the processor time, which is evaluated with a variable to determine whether the sample accesses the domain name generated by the algorithm or directly accesses the hard-coded IP address in the sample. This gives the sample some randomness.
Figure 1 Domain name generation algorithm
The domain name is generated using a random number, which is calculated according to the date of the infected machine.
FIG. 2 Random value calculation
1.3.2 C&C Server
The victim host interacts with the server using HTTP Post requests. The victim host accesses main.php on the C&C server with the following parameters:
parameter | meaning |
---|---|
id | Randomly generated number |
act | C&C control command |
affid | The member ID |
lang | The language used by computers |
corp | The unknown |
serv | The unknown |
os | The operating system |
sp | patches |
x64 | Whether it is a 64-bit system |
All requests made by the victim host are encrypted using hard-coded keys in the sample and sent to the C&C server. Packets received from the server are also encrypted using a specific encryption method, and Locky decrypts the encrypted data first.
Part of the encrypted packet:
Figure 3 Packet content
Encryption algorithm for sending packets:
Figure 4 Encryption algorithm
When data is received, the decryption algorithm of the sample is:
FIG. 5 Decryption algorithm
1.3.3 Control Commands
Currently, there are four known control commands: STATS, getKey, report, gettext.
The command | function |
---|---|
stats | Send basic information, such as the number of files that have been successfully encrypted, number of files that have failed to be encrypted, and length. |
getkey | Download the RSA public key used for encryption from the server. |
report | Sends an encrypted file list to the server. |
gettext | After obtaining the information that prompts the user how to decrypt, the C&C server will return the corresponding language prompt information according to the language used by the computer to be returned, for example, Chinese will be returned if the computer is sent zh, and English will be returned if the computer is sent EN. |
The message in Chinese is as follows:
Figure 6 Prompt content
0 x02 summary
According to the current analysis by Anticert, the functions of ransomware “Locky” are basically the same as those of ransomware [1] previously analyzed. Ransomware, which is hard to trace because it uses Bitcoin for transactions, can be hugely lucrative for attackers; Once users are infected with ransomware, they can only pay to decrypt or discard the files. Anticert reminds users that paying the ransom may not guarantee the full recovery of encrypted files. To prevent data from being encrypted, we should pay more attention to the defense of ransomware, develop good Internet use habits, and do not easily execute documents of unknown origin.
Locky, like other ransomware, encrypts users’ data and extorts money from them. Unlike other ransomware, it is the first bitcoin ransomware to have a Chinese prompt, indicating that the ransomware author’s target range will gradually expand and more localized versions will develop.
CERT predicted more similar ransomware attacks in China in the future. Therefore, how to defend blackmail becomes one of the important tasks to protect network security.
0 x03 appendix
I. Reference materials
- 【 1 】 uncover blackmail software face www.antiy.com/response/ra…