by RSS Floser Bacurio, Joie Salvio, Rommel Joven  |  Aug 14, 2017  |  Filed in: Security Research

Locky ransomware was first discovered in the first quarter of last year, and immediately became one of the major menaces of 2016, primarily affecting the United States.

Its effective spam delivery mechanism, combined with the constant release of variants with new evasion techniques, helped a lot with its success in the tightly packed ransomware competition. There were so many releases that there even came a point when they created some confusion regarding naming the new variants. The FortiGuard Lion Team discussed an extensive analysis of Locky’s evolution in Locky Strike: Smoking the Locky Ransomware Code, which was presented in VB last year.

Its massive distribution marathon eventually slowed down earlier this year, and we have not seen it in any major malware activity analysis ever since. This could change, however.

Spam Campaign Found in Fortinet’s KTIS

Fig.1 Recent spam campaigns leading to .diablo6 variant

A few days ago, while scouring through Fortinet’s Kadena Threat Intelligence System (KTIS)[1] , we found an emerging spam campaign. Initially, it was the scale that caught our attention, and then it got a lot more interesting when the payload was found out to be a new variant of the infamous Locky.

The image below is a screenshot from KTIS showing the overview of a spam campaign that led to a Diablo6 sample as payload. This illustration is only for one payload, and we found others with similar structure.

Fig.2 Bird’s eye view of the campaign from KTIS

Isolating a branch from the illustration allows us to look at the campaign at a closer level, as shown by the next image. The figure reveals that multiple emails have the same compressed VBS attachment, which when executed, downloads a .diablo6 Locky variant from a compromised URL. The graph also shows that at the time of this writing, two unique (different) hashes of .diablo6 had already been hosted from the URL. This means that newly created samples are being pushed, possibly with different configurations, or simply as an attempt to evade specific file signatures.

 

Fig.3 An isolated link set of spam mails leading to the .diablo6 variant

The next figure is based on another .diablo6 variant identified by KTIS. Only this time, the attachment is a document with a VBA script that downloads the ransomware.

Fig.4 Attached macro-enabled document downloads .diablo6 variant

 

Statistics based from the samples identified by KTIS show that the malicious emails are mostly distributed to the United States and Austria, as seen in the  following map.

Fig.5 Distribution map of the .diablo6 spam

 

Minimal Changes

Fig.6 Ransomware note of .diablo6 variant

There is no significant change in this new variant in terms of its capabilities. It should be noted, however, that this is still the malware that wreaked havoc last year and it’s not that far from doing it again today, if given the chance. And like the older versions of Locky, it is not possible to decrypt files encrypted by this variant

Most of the changes that we have discovered seem to only be attempts to complicate or prolong analysis.

This variant uses jmp instructions extensively, which can be annoying to researchers during debugging. In addition, it also now employs mangled strings that are later joined to form the victim information. This makes it harder to spot the strings during static analysis.

Fig.7 Numerous jmp instructions and mangled strings to complicate analysis

 

Conclusion

It’s still too early to say if this campaign signals the start of Locky diving back into the ransomware race or if it is just testing the waters. We’ll probably see in the next few weeks or months, or maybe never. We’ll keep watching. In the meantime, since files encrypted by Locky cannot be restored, it is always safe to assume the worst with these ransomware attacks and perform regular backups with proper data isolation.

As always, the FortiGuard Lion Team will continue to monitor Locky’s activity.

 

IOC

https://github.com/fortiguard-lion/LockyIOCs/blob/master/Locky_Diablo6_IOCs.txt

 

[1] Fortinet's Kadena Threat Intelligence System (KTIS) is an interactive platform that extracts contextual information from files, URLs, and other artifacts for more accurate malware identification, fast-tracked analysis, detailed analytics, and easier data correlation.

Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.

by RSS Floser Bacurio, Joie Salvio, Rommel Joven  |  Aug 14, 2017  |  Filed in: Security Research