SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


Huge wave of Locky Ransomware spread via Javascript spam (Feb 19th, 2016)



Description


The Dell Sonicwall Threats Research team have come across a new ransomware family called Locky. Ransomware is still on the rise and is showing no signs of stopping anytime soon. As predicted, the Dell Sonicwall Threats Research Team have seen an increase in new ransomware malware families and ransomware targeted at large corporations. It has even made recent headline news with the story of US hospital having to pay up $17,000 in bitcoins in order to recover critical files. our analysts identified the malicious executable as being associated with ransomware as a service (RaaS). Threat actors can configure these types of executables to encrypt various files found on an infected system. The RaaS provider then takes a portion of the ransom paid by victims as payment. Ransomware is an increasingly lucrative business and the Locky variant is yet another malware family trying to cash in on a growing criminal market.

Infection Cycle:

The Trojan is spread via email spam using a javascript attachment. The scripts are polymorphic. Each copy [Detected as GAV: JS.Camelot.A (Trojan)] is uniquely obfuscated using words from the english dictionary:

The script downloads the Locky ransomware executable file and runs it:

The Locky Trojan executable file uses the following icon:

The Trojan makes the following DNS queries:

      wblejsfob.pw
      cgavqeodnop.it
      kqlxtqptsmys.in
      pvwinlrmwvccuo.eu
      sso.anbtr.com

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%\Cookies\_Locky_recover_instructions.txt
  • %USERPROFILE%\Desktop\_Locky_recover_instructions.bmp
  • %USERPROFILE%\Desktop\_Locky_recover_instructions.txt

The Trojan encrypts various user created files on the system and sends the encryption keys to a remote key storage server:

It then causes the following two messages to be displayed on the desktop:

The links above lead to a page hosted on the TOR anonymity network. The page instructs the user on how to make a payment in bitcoins to restore their files:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Locky.A (Trojan)
  • GAV: JS.Camelot.A (Trojan)



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2017 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.3 | S2MSW06