locky


We attended the recent VB 2016 conference to present our findings on the development and evolution of Locky ransomware. In that same presentation we also discussed an automation system designed by Fortiguard to extract its configuration and hunt for new variants. Locky-ly (*wink*), while improving the system we couldn’t help but notice another new variant. Actually, aside from the encrypted file name extension change, there are no major developments from the “.odin” variant in this new variant. However, it appears that criminals... [Read More]
by RSS Floser Bacurio Jr. and Joie Salvio  |  Oct 24, 2016  |  Filed in: Security Research
As a result of our continuous monitoring of the Locky ransomeware we discovered a new Locky variant. This variant now appends a “.odin” extension to its encrypted files. This is now the third time that the extension has been changed. Aside from this, in this report we will also examine some of its other minor updates. It’s not Odin. It’s Locky      The transition from “.locky” to “.zepto” extension has caused some confusion to the malware research scene. Due to this update,... [Read More]
by RSS Joie Salvio and Floser Bacurio Jr.  |  Oct 03, 2016  |  Filed in: Security Research
VB 2016 Presentation – Oct 5-7, Denver When we first saw and analyzed Locky back in February, we immediately had a hunch that it was the work of seasoned criminals. The tell-tale signs were strong: massive spam runs were used to spread the ransomware, the malware used domain generation algorithm, the HTTP C2 communication was encrypted (the first version, that is), and the ransomware note was multilingual. The conclusion of our first Locky blog reads: “We also predict that Locky ransomware will be a major player in the ransomware... [Read More]
by RSS Floser Bacurio, Rommel Joven and Roland Dela Paz  |  Sep 30, 2016  |  Filed in: Security Research
Over the last few months we saw that Locky’s loader uses seed parameter to execute properly. This method was probably used to prevent sandboxing, since it will not execute without the correct parameter. Afterwards, we saw Locky shift itself from an EXE to Dynamic Link Library (DLL). We recently encountered yet another Locky development, where binary strains are using the Nullsoft installer package as its loader. In this post we will delve into how to unpack the final binary payload from its Nullsoft package loader. Decompressing Locky’s... [Read More]
by RSS ​​​​​​​Floser Bacurio Jr. and Kenny Yongjian Yang  |  Sep 12, 2016  |  Filed in: Security Research
The last few weeks saw new variants of the Locky ransomware that employs a new anti-sandbox technique. In these new variants, Locky’s loader code uses a seed parameter from its JavaScript downloader in order to decrypt embedded malicious code and execute it properly. For example, the downloaded Locky executable is executed by the JavaScript in the following manner: sample.exe 123 Below is a screenshot of it in action: This new trick may pose challenges for automated Locky tracking systems that utilize sandboxing due to the following... [Read More]
by RSS Floser Bacurio and Roland Dela Paz  |  Jun 30, 2016  |  Filed in: Security Research
FortiGuard Labs uses the data it gathers from its over 2 million security sensors to keep an eye on trends related to ransomware--one of the areas of greatest concern when it comes to cyber security threats today.As a result of this effort, we previously talked about Locky’s rapid rise in prevalence in the first two weeks of its appearance. This time, we have observed yet another new ransomware family – Cerber – to be rapidly gaining prevalence in the wild. We gathered FortiGuard Intrusion Prevention System (IPS) telemetry... [Read More]
by RSS Kenichi Terashita and Roland Dela Paz  |  May 26, 2016  |  Filed in: Security Research
Back when I was in college, I remember one day our class asked our programming professor, “how do we create a virus?” Understandably, our professor refused to answer the question. However, after some persuading, he eventually agreed to give us one example. It looked like this: del C:\\*.* Suddenly, the class was enlightened. More than that, I was personally astounded. How could a single line of code do so much damage?? Fast forward to today, and I am still astounded, perhaps for a slightly different reason. I came to realize... [Read More]
by RSS Roland Dela Paz  |  Apr 12, 2016  |  Filed in: Security Research
If you’ve been listening to the news at all the past couple of weeks, you have undoubtedly heard of a number of companies being affected by ransomware.  The recent surge in this form of cyber attack has many organizations and users understandably concerned. And you should be. Ransomware is nasty stuff. But with some careful preparation, you can significantly lower your risk of being infected, and reduce the impact on you or your organization should you get hit. What is Ransomware? Ransomware is a form of malware that infects devices,... [Read More]
by RSS Bill McGee  |  Apr 06, 2016  |  Filed in: Industry Trends & News
The Locky ransomware has shown no signs of slowing down its aggressive activity since it was first observed in mid-February up to the present, and it has already emerged as this year's major threat. The following report on Locky trends within Japan is based on information reported to FortiGuard by FortiGate installations around the world. Overview A detailed analysis of the ransomware itself has already been provided to our readers by our FortiGuard researchers. For more details, please see this blog entry. The post starts with a description... [Read More]
by RSS Kenichi Terashita  |  Apr 05, 2016  |  Filed in: Security Research
Because of the recent outbreak of the Locky ransomware, Dridex has become synonymous with the distribution of ransomware more generally. However, Dridex is still taking good care of its notorious original business– banking Trojans. While preparing the materials for my upcoming HITBAMS2016 talk on Kernel Exploit hunting and mitigation, I came across this new variant of Dridex (SHA1: 455817A04F9D0A7094038D006518C85BE3892C99), which is rather interesting. The Master of Antivirus Killers Based on some simple string checks, we assumed... [Read More]
by RSS Wayne Chin Yick Low  |  Mar 23, 2016  |  Filed in: Security Research