The latest headlines read like it’s the early 2000’s: users around the globe are being financially extorted and having their files held captive by ransomware. The only way to regain access to your data – which may include irreplaceable photos, videos, documents and personal files - is to buy the decryption key from the crooks using a variety of shady payment methods via the Dark Web. But the stories surrounding the Locky ransomware family are concerning for reasons that go deeper than the flashy news headlines.
We have observed several long and sustained ransomware campaigns by Locky from early February 2016 onward. Early estimates state that Locky is currently infecting over 90,000 machines a day, with the attackers asking between 0.5 to 1 Bitcoin (around $450) to unlock each machine. With no available fix or patch for a machine infected with ransomware (even the FBI has been defeated by ransomware cryptography), the problem currently seems to have no solution.
Ransomware attacks overall have proliferated in recent years. CryptoLocker alone procured an estimated $3 million before authorities acted to take it down. Cryptowall was estimated to have raked in over $18m by June 2015, with over 1,000 victims contacting the FBI’s Internet Crime Complaint Center to report infections.
For the victim, paying the ransom may seem to be the best of a set of bad options. However, even if the ransom is paid, there is no guarantee that the attackers won’t simply take the money and demand more, or just refuse to decrypt your files, period. The FBI has issued a past warning about ransomware, the top takeaways being not to pay out any money or supply any personal information to the cyber-crooks, and to report the incident to the Internet Crime Complaint Center. Even after posting this advice, the FBI goes on to caution users that ransomware can continue to operate in the background, logging keystrokes and capturing other personal information, even after professional services have cleaned and attempted to restore the machine.
In the early days, the biggest issue with ransomware for both the attackers and the victims was shoddy and unpredictable coding. Many of the in-the-wild variations of ransomware were so poorly written that affected files were either irreversibly damaged by the encryption, or non-recoverable due to improper implementations of the encryption scheme.
Since the first identified piece of basic ransomware in 1989, the 'AIDS' Trojan which encrypted the user’s hard drive and demanded $189 to unlock it, ransomware has grown in both sophistication and in its potential to cause greater widespread devastation. Fast forward to today and we see ransomware attacks like the one on the Hollywood Medical Center, caused by an as-yet undisclosed piece of ransomware, which left the victim’s systems crippled for several weeks while the hackers demanded millions of dollars in Bitcoin to unlock medical systems containing confidential patient records and time-sensitive medical test results.
While Locky is the newest strain of ransomware to emerge to date, the basics of ransomware attacks have never changed since the early days. However, better encryption implementations and the emergence of digital crypto-currencies such as Bitcoin have ushered in a whole new wave of highly successful ransomware and associated criminal activity – after all, the key to an attacker conducting a successful ransom is a secure and untraceable payment system. The current breed of ransomware is far more prolific, predictable, stable and successful. The adversary is now able to very tightly control the post-detonation time limits, payment methodology, and spreading/infection methods. Added to that, these days we even have so-called turn-key services for non-technical folks to get in on the ransomware money-grab, such as Ransom32, Tox (defunct), and so on.
The Locky family has a few other tricks up its sleeve. For example, it directly targets and destroys local VSS data (Volume Snapshot Service, aka Shadow Copies). VSS is intended to protect the computer by providing a backup of critical system files and data. By deleting and destroying this data, Locky is able to circumvent typical recovery methods embraced by victims of other less sophisticated ransomware families such as System Restore. In addition, Locky is highly aggressive when it comes to affecting files on mapped and connected network resources. Any file on a mapped or mounted connected drive, such as internal or external backup drives, will also be encrypted. The platform of the remote network resource does not matter. If the infected Windows host has mounted or mapped shares on *NIX and/or Mac OS hosts, the files on said hosts will be encrypted.
This makes the recovery scenario even more confusing and troublesome. Even if you pay up, you’ll still need to make sure that you decrypt everything that was affected. If you have a temporary share mapped drive which was encrypted by the ransomware and you miss that on the initial decryption, you may still be unable to decrypt that drive. Worse still, if you miss the posted deadline for payment, for instance if you are on vacation when the infection hits, you may find yourself left with zero options for recovery.
Other technical details on Locky have been well covered to date in multiple write-ups and locations. Encryption is handled via the Windows CryptoAPI. First off, a 2048-bit RSA key is fetched from the remote/C2 server and imported by the victim host. Said RSA key is then used to encrypt the AES (128-bit) keys, which in turn are used to encrypt the files on the host. The AES keys are randomly generated and used for each encrypted file on the host. Files are encrypted based on extension, and when all is said and done, the victim is left with a host full of encrypted files and an altered desktop image with instructions on how to make payment (BTC via victim-specific .onion URL).
Regardless of any secondary feature that may be present (network drive encryption, VSS destruction, etc.) we must not kid ourselves that this is something new. This is the same attack scenario and result that worked for ransomware creators in the early 2000s (gpcoder and similar). This type of attack has been occurring for well over 10 years. The behavioral patterns are all the same. The programmatic results are the same. It should be a wake-up call for an industry where the 'old guard' body of traditional AV countermeasures can't seem to keep up, catch up or fully understand the regimented and well-documented chain of events that leads to the exact same result every time: well-meaning user clicks bad stuff -> bad stuff runs -> bad stuff encrypts or destroys data.
In the context of some of the victims, Locky is certainly interesting. However, this is not a novel or advanced attack technique. In this day and age, especially after seeing this pattern repeat itself time and time again, Locky should be low hanging fruit for AV software, and it should certainly still not be making news headlines and wreaking havoc on our healthcare and financial infrastructure.
Whenever Cylance runs across a piece of malware like those in the Locky family, we take it as the perfect opportunity to test the efficacy of our machine learning and artificial intelligence based endpoint protection product.
Here are the details of our latest tests:
Locky has been rapidly adapting their malware and tactics to continually deliver fresh payloads to unsuspecting victims. The names of the ZIP files are constantly changing and both Microsoft Word documents and ActiveMIME documents have been observed to carry the payloads previously. CylancePROTECT provides protection against both unwanted scripts and malicious macros, so the Locky infection process is terminated before an executable ever gets delivered to the system.
We took a handful of final Locky payloads that were deployed the week of March 1-8, 2016, and tested each one against CylancePROTECT:
CylancePROTECT detected 100% of the variants using a mathematical model that was originally generated in August 2015. This means that the CylancePROTECT agent has essentially been untouched for close to 7 months. No new updates have been provided to it to help it combat the Locky samples released in March 2016.
Traditional AV’s results were scattered across the board, with some variants detected by two companies and others detected by thirty. (Bear in mind that all AV products were fully patched and updated with their most recent DATs prior to testing.)
The bottom line is that no other solution even came close to detecting and preventing EVERY SINGLE Locky sample from launching its attack. When CylancePROTECT’s performance is compared to that of traditional signature based methods, there wasn’t even a contest:
Fig. 1: Every Locky sample was quarantined by CylancePROTECT
Locky and similar families of ransomware use very predictable methods of attack and are the complete antithesis of stealth. While traditional endpoint products are scrambling to blacklist or build generic and heuristic detection well after Day Zero and countless infections, CylancePROTECT is (and always has been) able to detect and prevent execution of Locky and similar families of ransomware, using mathematical models built long before the actual malware was created.