Weekly Executive Summary for Week September 07, 2017

What is it? Ransomware

What has it been dubbed? Locky | Diablo | Diablo6 | Lukitus

What does it do?

Locky ransomware was first released in 2016, since that time numerous variants have been observed in the wild, the two most recent are Lukitus and Diablo6. The ransomware was one of the first to become globally successful, and at one time one of the most common forms of ransomware used. According to researchers at Fortinet, there have been so many variants released from 2016 that there seems to be confusion on naming them.

The malware is delivered through spam emails that contain malicious attachments (i.e., a pdf, word document, zip file, etc.). The attachment usually contains a VBA(Visual Basic for Application) script that is used to download the actual ransomware. The original Locky malware would append the .locky extension to all encrypted files, but the Diablo6 variant appends .diablo6, and the Lukitus variant adds the .lukitus to the end of encrypted files. The desktop background of the infected computer is changed to have the ransom note and a diablo6.htm or lukitus.htm which also contains the note with instructions for victims to decrypt their data.

According to researchers at Fortinet, the email campaigns seem to have hit the United States and Austria the hardest, and some researchers say that the ransomware will delete itself from an infected machine if the local language is Russian.

How does it do it?

The malware is being distributed in a malicious spam campaign that utilizes the Necurs botnet. The Necurs botnet makes use of compromised endpoints to send out millions of emails, this is used to deliver banking trojans and ransomware. One of the diablo6 samples seems to have been delivered in emails that contain a .zip file (the zip file’s name is the same as the subject line of the email), this zipped file contains a VBA script used as a downloader.

Source: BleepingComputer

The downloader script will contain a single or multiple URLs which are used to actually download the ransomware to %Temp% folder, it will then get executed. Once it has been downloaded Locky will scan a victim’s system and encrypt all files. After files are encrypted the malware will add the .diablo6 or .lukitus extension to the end of files, this is how researchers have named these variants.

The renamed files will have this format:

8 hexadecimal chars of id4 hexadecimal chars of id  – 4 hexadecimal chars of id8 hexadecimal chars of id – 12 hexadecimal chars of id.diablo6

Ex: E87091F1D24A-922B00F6B11272BB7EA6EADF.diablo6(bleepingcomputer)

After Locky has encrypted all files on the infected computer it will delete the downloaded executable, then changes the background of the system to show the ransom note, which is also included in diablo6.htm or likitus.htm, depending on which variant was used.

Source: BleepingComputer

A user is instructed to download and install a Tor Browser, where they will then proceed to a unique .onion address for further payment instructions. The decryptor TOR payment site has asked for .49 bitcoin, which is around $2200 USD(as of today).

Source: BleepingComputer

Researchers at Malwarebytes have compiled a list of Locky extensions used over the last two years, this is a good indication of how many variants have been seen in a short amount of time.

Source: Malwarebytes

Numerous security researchers have stated that there is no decryption for the Locky ransomware. Shadow copies (used in Microsoft to create snapshots or copies of files while in use) that are created in Windows are also deleted, leaving little to no chance of decryption.

Conclusion:

Ransomware and spam emails containing malicious files and documents aren’t by any means a new form of attack vectors, but they prove to be just as effective time after time. Attackers will make adjustments in the code base of existing malware to evade signature detection by some AV’s.

In the case of the latest variants of Locky, developers have made adjustments to make static analysis by researcher more difficult. Static analysis is done in a non-runtime environment, while dynamic analysis is done while a program is executed, and this forces researchers to use different techniques for analysis.

As mentioned before, spam emails with malicious attachments is an extremely effective attack vector for threat actors even today. Educating employees in your organization about the various tactics/tricks used by attackers is essential. There are a number of phishing frameworks which allow IT professionals to test, train, and teach users about the dangers of spam emails. Gophish is an open-source phishing framework which is free and can allow both large and small businesses to run phishing campaigns on their own company.

Sources:

https://www.webroot.com/blog/2017/08/17/locky-ransomware-resurges-diablo-lukitus/ (WEBROOT)

http://www.zdnet.com/article/locky-ransomware-is-back-from-the-dead-again-with-new-diablo-variant/ (ZDNet)

https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/ (SOPHOS)

https://blog.fortinet.com/2017/08/15/locky-strikes-another-blow-diablo6-variant-starts-spreading-through-spam (FORTINET)

https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-with-spam-campaign-pushing-diablo6-variant/ (Bleeping Computer)