Select Page

Cyren Security Blog

Locky Developers Continue to Enhance Ransomware Delivery and Operation

In the past week we have seen a resurgence of Locky malware emails. Some examples of the attachment filenames (there are many variations):

DETAILS_%username%_291866.ZIP->extracted file: unpaid-166.js

%username%_ADDITION_744341.ZIP-> extracted file:addition-0106.js

%username%_INVOICE_337060.ZIP-> extracted file:unpaid-643.js

SERVICES_%username%_793350.ZIP-> extracted file:addition-3247.js

%username%_SCANNED_869621.ZIP-> extracted file:unpaid-6981.js

%username%_UNPAID_116521.ZIP-> extracted file:unpaid-8255.js

legend: %username% = local part of the email address ex.

Locky's Spam Email

Here’s what the obfuscated JavaScript sample looks like:

Locky's Obfuscated JS Script

Upon dissecting the script and assembling it into a readable form, we found that it uses a new technique for downloading Locky’s binary executable. Unlike the old Locky JS script that only has a “download and execute” routine, the new Locky JS script now uses a decryption routine before running the binary executable as seen in the snapshot below:

Locky's New Download Execute Algorithm

Here’s the snapshot of the downloaded Locky Encrypted and Decrypted Binary:

Locky's Encrypted and Decrypted Binary

Locky first attempts to connect to the following hardcoded IP address found in the malware body (see snapshot below) before it uses the Domain Generator Algorithm (DGA) to download configuration files.

Hardcoded Config

List of Hardcoded Locky Server IP address:

  • http://185(dot)82(dot)216(dot)60/upload/_dispatch.php
  • http://217(dot)12(dot)223(dot)88/upload/_dispatch.php
  • http://195(dot)123(dot)209(dot)227/upload/_dispatch.php
  • http://93(dot)170(dot)169(dot)188/upload/_dispatch.php

Sample list of domains generated by Locky’s DGA at the time of this writing:

Locky's DGA

Best Practices

In addition to Internet security protection at the web and email gateway – such as that provided by CYREN – businesses should implement a multi-layered security approach that includes strong endpoint protection, and a robust data backup capability to ensure that ransomware infections don’t cripple a business.

This needs to include strong end-user education about cyber security, training users to be very vigilant when opening emails from unknown sources and avoiding opening attachments that are executable. Microsoft Office macros should always remain disabled (which they are by default).

You might also like

11 Types of Social Engineering Attacks

What is social engineering? Social engineering attacks are the manipulation of individuals to the point that they give up confidential information. The type of information these attackers may seek varies, but when individuals or employees are targeted, they more often...

Phishing Targets Phantom Wallet

The Solana Phantom Wallet by Kervin Alintanahin Phantom is a browser based crypto wallet where you can store, send, receive, stake and exchange tokens in the Solana blockchain. With the skyrocketing prices of crypto currencies including SOL, a crypto wallet is one of...