December 19, 2016

The Many Evolutions of Locky

Nicholas Griffin Security Researcher

First spotted in February 2016, the Locky crypto-ransomware has become a dangerous threat to both large organisations and residential users alike. In this blog we give a brief overview of what Locky is and cover the significant aspects of its infamous history.

What is Locky?

Locky is a crypto-ransomware which aims to infect machines, encrypt sensitive information, and hold the data to ransom by requesting a payment to get the files decrypted.

Locky actors aim to make significant financial gain from successfully extorted users. There appear to be several different actors who utilise and distribute unique builds of Locky, and these are known as "affiliates".

Distribution Methods

Locky has been an almost daily threat plaguing users since February 2016. It is distributed through the use of both exploit kits and e-mail. The Neutrino, RIG and (now defunct) Nuclear exploit kits have all distributed Locky sporadically throughout 2016. The Necurs botnet is the main perpetrator behind the spam e-mails resulting in Locky infections, usually as a result of a malicious Microsoft Office file or a ZIP attachment containing a malicious script.

Locky affiliates have used a number of different file types maliciously in order to initiate a Locky infection including:

  • Microsoft Office (".doc", ".docx", ".xls" etc.) utilising Visual Basic for Applications (VBA)
  • JScript (".js")
  • JScript Encoded (".jse")
  • VBScript (".vbs")
  • Windows Script File (".wsf")
  • Compiled HTML (".chm")
  • HTML Application (".hta")
  • Link Shortcut (".lnk")
  • Windows Executable (".exe")
  • Windows Dynamic Link Library (".dll")
  • Windows Powershell

Secure Encryption Algorithm

Locky encrypts users' files rapidly by using 128-bit AES encryption, and subsequently protecting the key using 2048-bit RSA encryption.

Encrypted files are typically renamed to end with ".locky" although newer variants of Locky result in filenames such as ".zepto", ".odin", ".thor", ".zzzzz" and ".aesir". Locky was updated in July 2016 to support offline encryption mode, meaning that network traffic was no longer required in order to perform secure file encryption.

Command-and-Control (C&C)

Locky is able to generate and keep track of unique RSA keys for each infected machine. It does this by contacting its C&C to report in and obtain the key.

On July 12, 2016 an offline encryption feature was added whereby an RSA key is embedded inside the malware in case it is unable to communicate with its C&C and obtain a key.

Ransom Payment

Users' files are held to ransom until payment is made for a unique decryption utility. Locky requires users to pay using the anonymous Bitcoin (BTC) currency, which helps to hide the Locky affiliates' identities from law enforcement. Typically the amount requested is between 0.5 to 1 BTC, which is roughly the equivalent of around 400 to 800 USD.

Over the course of 2016 Locky has grown to support a wide range of languages for its payment pages. As of December 2016 Locky is able to display this page in 30 different languages.

Timeline of Locky

February - Locky is Born

  • On February 15 the first samples of Locky were seen. After its birth Forcepoint were the first to expose the inner workings of the Locky domain generation algorithm (DGA) used for C&C communication:


    The release of this blog caused the actor(s) to put a stop to their activities for a few days, spurring them to improve their DGA. A few days later on February 24 Locky returned with a new and improved DGA, and once again we exposed it.

    This new update also included the ability for Locky to identify Russian language machines, refusing to encrypt them.

May - Distribution Issues

  • On May 31 the Necurs botnet went down and as a result Locky all but disappeared.

June -  Back to Business & Zepto Variant

  • On June 21 Locky returned in full force with brand new anti-analysis tricks. The payloads were now encrypted with unique keys which were decrypted and run by the JS downloaders. The payloads themselves also began to require a command line argument in order to execute properly. Both of these tricks were designed to trip up automated security tools.

    We documented one of the more interesting anti-analysis tricks employed within Locky itself:

  • On June 27 the first Zepto variants of Locky were seen, using the ".zepto" filename extension instead of ".locky". These appear to have been used exclusively by Locky affiliate 3.

July - Offline Encryption

  • On July 12 Locky added support for offline encryption using embedded RSA keys in case the malware is unable to communicate with its C&Cs.

September - Experimenting with new Ideas

  • On September 5 some Locky samples stopped using C&Cs altogether, instead relying solely on the offline encryption mode.
  • On September 12 Locky affiliate 3 used a brand new intermediary trojan downloader which Forcepoint identified as "Quant Loader". This had been first advertised on Russian underground forums at the beginning of September:

  • On September 26 the first Odin variants of Locky were seen, using the ".odin" filename extension instead of ".locky" or ".zepto". Once again these appear to have been used exclusively by Locky affiliate 3.

October - Taking a Break

  • On October 7 the most prevalent Locky actors (affiliates 1 and 3) went quiet. We can only speculate as to why this may have been - spending their money, taking a vacation, or issues with their distribution. Other Locky affiliates such as 5 and 23 remained active in low volumes.
  • On October 24 Locky affiliates 1 and 3 made a full return, with affiliate 3 once again changing filename extension to ".shit". Since this date both affiliates have consistently made use of C&Cs again rather than relying solely upon offline encryption.
  • On October 25 some Locky affiliates started using the filename extension ".thor".

November / December - C&C Traffic Changes

  • On November 21 some Locky affiliates began using C&C URLs ending with ".cgi" instead of the usual ".php", such as hxxp://<IP-or-DGA-domain>/information.cgi. These affiliates also switched from the ".thor" filename extension to ".aesir".
  • On November 29 Locky ".aesir" affiliates started using the filename extension ".zzzzz".
  • On December 5 the ".zzzzz" Locky affiliates stopped using file extensions on their C&C URLs altogether, and switched to using the filename extension ".osiris".


What Does the Future Hold?

We do not expect Locky to disappear any time soon. and we will continue to monitor and track changes to Locky variants. We expect to see the actors continuing to improve the malware's features, means of distribution, obfuscation, and anti-analysis tricks.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.