Locky Stages Comeback Borrowing Dridex Delivery Techniques

The ransomware that defined much of the phishing threat landscape in 2016 raged back into prominence on April 21, 2017 with multiple sets of phishing email messages. Harkening back to narratives used throughout 2016, these messages leveraged simple, easily-recognizable, but perennially-effective phishing lures to convince recipients to open the attached file.

Figure 1 – “Payment receipt” and “Scanned image” are two examples of simple phishing narratives that have proven successful in the past and are once again used to deliver Locky.

However, the methods used to deliver the Locky payload are significantly different from those used for much of 2016. Instead, these newest Locky distributions leveraged a technique that has become popular in the distribution of the Dridex botnet malware, as documented in PhishMe’s April 18th post on that malware’s distribution methodology.

The technique in play with these phishing attacks attempts to take advantage of the awareness and education surrounding macro-based delivery as it has proliferated over the past few years. As more and more threat actors utilized this technique, it became clear to both defenders and potential victims what these attacks look like and how they work. This has created an increasingly less advantageous environment for threat actors using Office macro documents. The recent distribution of the Dridex malware using this technique in conjunction with a PDF document broke from the expectations set for potential victims about how this technique looks. The threat actors seek to defy the expectations created by the increased awareness about Office macro attacks by altering how they are presented to victims.

As PhishMe documented in earlier coverage of the Dridex malware, these PDF attachments use a relatively simple and straightforward infection process. Upon opening the PDF, the recipient is prompted to give permission for the PDF reader application to open a second file. This second file, extracted from within the PDF document, is a Word document with a macro script application used to download a Dridex payload. This adds another unexpected step to the infection process and thereby breaks from the common technique used to deliver macro documents. Figures 2 and 3 show the two-steps used by the threat actor to convince victims to engage with the macro document.

Figure 2 – PDF reader requests permission to extract and open a Word document

Figure 3 – Word document is displayed to the victim along with the option to enable macro content

Following the 2016 holiday season, Locky distributions seemed to evaporate, leaving only a handful of small distributions throughout the first quarter of 2017. During that period, several other ransomware varieties appeared on the phishing landscape and the ever-present Cerber encryption ransomware maintained a significant share of the ransomware market. The lucrative business of ransomware is one that threat actors were unlikely to abandon. Furthermore, a robust tool like the Locky encryption ransomware likely provides a reliable means to turn profits in that market. The reinvigorated distribution of Locky serves to reinforce that while there was an extended hiatus, this ransomware is here to stay.

Figure 4 – Following the 2016 holiday season Locky distributions plummeted, but new aggression in distribution may change that.

Locky itself seems to still carry out its same functionality with cruel efficiency, seeking out and encrypting a wide variety of valuable and mission-critical documents and files on victims’ machines. Its all-too-familiar ransom notes are still sport a red-on-black color scheme and direct victims to a bland, beige payment site. One notable fact is the request that victims install the Tor browser to view the ransom payment site. This is likely in response to the blocks frequently put into place by Tor proxy services such as Tor2Web.org and the burden of maintaining a dedicated Tor2Web proxy site.

Figure 5 – The Locky ransomware has a distinctive, utilitarian look and feel that is all too familiar.

These most recent Locky distributions present an ambitious ransom amount on the payment site—one Bitcoin. At the time of publication, the asking price for one Bitcoin was over 1200 USD and over 1100 Euro. This is a significant increase over many of the ransoms observed in 2016 that ranged from 300 USD to 500 USD in equivalent Bitcoin.

Figure 6 – Instructions for victims to send 1 BTC to the threat actors’ wallet and be patient as the threat actors process the payment

Despite the apparent ambition and aggression demonstrated by these reinvigorated Locky distributions, these threat actors have not yet found a guaranteed recipe for success. The best efforts of these attackers can still be foiled by a holistic phishing defense strategy. Robust user education and empowerment turns potential victims into assets who can identify and report attacks in near-real-time to those tasked with defending an enterprise. These defenders can then couple that internal intelligence collection with external threat intelligence to gain insight into the context for how and where phishing attacks are being carried out and the resources used to support them.

Indicators related to these newest Locky attacks.

URIs providing Locky executables:

hola://abcenglishclub[.]com/9yg65

hola://aielloengineering[.]com/9yg65

hola://aim-controls[.]com/9yg65

hola://bhmech[.]com/9yg65

hola://cindysplace[.]net/9yg65

hola://clayhero[.]com/9yg65

hola://dont[.]pl/9yg65

hola://ercelectronics[.]com/9yg65

hola://erius[.]nl/9yg65

hola://flexza[.]net/9yg65

hola://labprocomalumnos[.]site/9yg65

hola://rootcellar[.]us/9yg65

hola://ros-jurist[.]ru/9yg65

hola://sgph[.]comcastbiz[.]net/9yg65

hola://sherwoodbusiness[.]com/9yg65

hola://uwdesign[.]com[.]br/9yg65

hola://weijingart[.]com/9yg65

Ciphered Locky payload:

9yg65/tymbado2 – 4778ae5882e85897d481f1f278171e02

De-obfuscated Locky payload on disk:

redchip2.exe – ff19b6df5d38d754a7cbfb6acbb5157b

Locky command and control resources:

hola://188[.]120[.]239[.]230/checkupdate

hola://80[.]85[.]158[.]212/checkupdate

Locky ransom payment site:

g46mbrrzpfszonuk[.]onion

PhishMe Intelligence customers can find the full set of indicators and detailed reporting in Threat ID 8847 and Threat ID 8849.

Stay updated with the latest on Locky, Dridex, malware trends and more with our complimentary PhishMe Threat Alerts – delivered straight into your inbox.

Off-the-shelf Zyklon Botnet Malware Utilized to Deliver Cerber Ransomware
Does your Incident Response Plan include Phishing?

Leave a Reply