Ransomware Encrypts Local, Network Files

Monday, February 22, 2016 @ 05:02 PM gHale

A new ransomware uses AES encryption algorithm to encrypt local files and files on network shares.

The ransomware, called Locky, is the second type of malware discovered in the past few weeks encrypting data on unmapped network shares, which suggests others may soon follow suit.

Ransomware Code Cracked
Ransomware Targets Android Users
Exploiting a Flaw in Ransomware
OpenSSH Flaw could Leak Private Keys

While malware developers are smart programmers, they do like to use what works and Locky uses techniques already observed in other ransomware.

One of the things it borrowed from other programs is it completely changes the filenames for encrypted files to make it more difficult to restore data.

The ransomware is going out via fake invoice emails that contain Word document attachments with malicious macros. When the user enables macros to view the content of the document, the Locky ransomware downloads from a remote server and executes, and it immediately begins encrypting files.

When started, Locky creates and assigns a unique 16 hexadecimal number to the victim’s computers, when will scan all drives and unmapped network shares for files to encrypt. The malware uses the AES encryption algorithm and targets only file extensions matching a certain criteria, said researchers at BleepingComputer, which discovered the ransomware.

The malware will skip files that contain the following strings in their full pathname and filename: tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, and Windows.

All encrypted files are automatically renamed to [unique_id][identifier].locky, with the unique ID and other information also embedded at the end of the encrypted file. Additionally, the malware will delete all of the Shadow Volume Copies on the machine, to prevent victims from using these to restore their files.

The malicious program places a ransom note called _Locky_recover_instructions.txt in each folder where it encrypts files, providing victims with info on what happened to their files and with links to the decrypter page. Additionally, the ransomware changes the desktop wallpaper to a .bmp image that contains the same instructions as the text ransom notes, and asks users to pay 0.5 bitcoins to recover their files.

Locky also stores various information in the registry, including the unique ID assigned to the victim, the RSA public key, the text in the ransom notes, and details on whether it finished encrypting the computer. The Locky Decrypter Page shows information on how to purchase bitcoins to pay the ransom, and provides victims with a decrypter when payment gets to the assigned bitcoin address.