by RSS Floser Bacurio, Joie Salvio, Rommel Joven and Jasper Manuel  |  Sep 21, 2017  |  Filed in: Security Research

While FortiGuard Labs was preparing for another presentation on our Locky research at the Black Alps cyber security conference this coming November in Switzerland, Fortinet’s Kadena Threat Intelligence System (KTIS)1 caught another Locky variant using a new extension – “ykcol” or “locky” spelled backwards.

Locky has been stepping up its game over the past few months after going dark during the first half of 2017. Just like the old days, this new variant is distributed through massive volumes of malicious spam email campaigns, which are usually named after the extension the variant uses for encryption. In this case, it uses “ykcol”.

Fig 1. Encrypted files with ‘.ykcol’ extension

Multiple Spam Waves

With the data collected from KTIS, we identified multiple spam waves of this new variant over the past three days. In fact, as we are writing this article new waves are still being discovered in our system which have similar behavior to previous spam waves. The table below shows a comparison between these waves.

Table 1. Comparison of the spam waves

The following generalizations can be made based on this data:

  1. Emails in the same wave have the same email subject and attachment filename format. (Except for the 5th wave, that had two sets of email subjecst and attachments)
  2. Each wave has its own set of different compromised hosts appended with the same URI. (see IOC for full list of related URLs)
  3. At the same point in time, compromised URLs in the same wave lead to the same locky sample when downloaded.
  4. A wave can deliver Locky samples with either online or offline encryption. Locky samples coming from the same wave that are capable of online encryption use the same C&C servers.
  5. All Locky samples analyzed in this campaign were distributed with an affiliate ID: 3. This affiliate has been observed distributing Locky through spam emails containing an attached compressed JS or VBS downloader since last year.
  6. Two spam waves were delivered per day.

Another interesting observation is about the email subject “Message from km_c224e” from the second wave. This same subject was also used  in other malware campaigns delivering Dridex and Jaff Ransomware, which implies that one group may be responsible for these distributions.

As always, in an attempt to evade traditional signature detections, threat actors behind Locky repack and rehash the samples regularly.

Fig 2. Malicious URL leads to different “.ykcol” samples

Feedback from our Fortinet systems show that United States is the top affected country. This data only reflects the number of visits to Locky’s C&C’s, which means that the variants with offline decryption were not included in these statistics.

Fig 3. Top countries affected by Locky with online encryption

Minor Changes

Aside from the filename extension change, Locky aligned the price for decryption with the increasing price of bitcoin. From the previous ransom of 0.5 BTC, they are now asking for 0.25BTC or ~1000USD.

Fig 4. Locky decryptor priced at 0.25BTC

Here is the updated list of all Locky extensions seen so far.

Table 2. List of Locky extensions

Solution

  1. FortiMail blocks all spam emails.
  2. FortiGuard Antivirus service detects Locky(.ykcol) samples as W32/Locky.FWSD!tr.ransom.
  3. FortiGuard Webfilter service blocks and tags all download URLs as malicious.
  4. FortiSandbox rates the Locky samples as High Risk

Conclusion

Despite a few minor alterations, Locky is still the same dangerous ransom malware from a year ago. It has the capabilities and distribution network necessary to cause significant damage to any system unfortunate enough to be hit by it.

Over the past few months, we have seen it distributing massive spam campaigns and we don’t see it slowing down any time soon.

-= FortiGuard Lion Team =-

IOC

Locky Hashes:

c674da5f1c063a0bec896d03492620ac94687e7687a1b91944d93c1d6527c8a7
21e182165b2e928062ff417a0d3f089925d42251486d2777883bbe3d703566e3
3ebb3c50ea81e6897f130cd5582981ca6ee0a5432ebfe85fa522dc25fc462aaf
8bf303dda84a1e0552f98370dd5dbfdf127d7ec9b5caab948874a897771ce142
24b29b6c856f24b4385b8aefedada88cb3aebf88b29b90348a928d8bae5c7cc2
942e275de833c747d0f8a5ebe519c62157c1136cbf467d079d7f84890018aa84
f2afa33f6ffeb62d0280f389c21a7dc61e6cbf7a826c7af4ffccf4fc1a354918
049dd2344e04dd47516a390dc07d4aa359dda46cfa30cfc6eed46993dc628096
d1b8b8c6cce9175c844875a68b61e50107cd7b5d5c6ac2ec76dbb3b06ed727f8
f8e7dde2601ebeb7e30af4c54016223f1c42298176e1f2f5c4945ca6b8b88317
99a07f1d83c5a7f613f7915ad390decb2803868658b4b027a0bdcd9ca2a6f2c7	
ece3de389dbe55f0810bbc2ee8f86e257af852e8817ade55afa2e02e0bac2db4
614bfea6b81f56b59bd0f2222b65b57571796245a7886a8e31be8a3ccd0e5617	
da386efced7535a1262ae9ede6988e27bdc6fca3411da14e6db02158aa37a5c9
59ec54fb9b1d3415b54558977e3640b81bb3ebebdb61af3fc772e308c6b8eb3a
302aabfec6b1696e3019699d6367e4ac9e57037aec6237d9b263ba9a8fbe3418

C&C:

91.191.184.158
195.123.218.226

URL Download of Locky:

hxxp://miliaraic.ru/p66/87thiuh3gfDGS
hxxp://troyriser.com/87thiuh3gfDGS
hxxp://yildizmakina74.com/87thiuh3gfDGS
hxxp://unifiedfloor.com/87thiuh3gfDGS
hxxp://w4fot.com/87thiuh3gfDGS
hxxp://web-ch-team.ch/87thiuh3gfDGS
hxxp://saitis.eu/87thiuh3gfDGS
hxxp://grovecreative.co.uk/87thiuh3gfDGS
hxxp://www.elitecommunications.co.uk/87thiuh3gfDGS
hxxp://cedipsa.com/87thiuh3gfDGS
hxxp://abelfaria.pt/87thiuh3gfDGS
hxxp://lanzensberger.de/87thiuh3gfDGS
hxxp://pielen.de/87thiuh3gfDGS
hxxp://qstom.com/87thiuh3gfDGS

hxxp://targeter.su/p66/DKndhFG72 
hxxp://wiskundebijles.nu/DKndhFG72
hxxp://lasdamas.com/DKndhFG72
hxxp://v-chords.de/DKndhFG72
hxxp://petromarket.ir/DKndhFG72
hxxp://accountingservices.apec.org/DKndhFG72
hxxp://autoecoleeurope.com/DKndhFG72
hxxp://dmlex.adlino.be/DKndhFG72
hxxp://wenger-werkzeugbau.de/DKndhFG72
hxxp://cornyproposals.com/DKndhFG72
hxxp://autoecolekim95.com/DKndhFG72
hxxp://pnkparamount.com/DKndhFG72
hxxp://montecortelhas.com/DKndhFG72
hxxp://walkama.net/DKndhFG72
hxxp://georginabringas.com/DKndhFG72
hxxp://eurecas.org/DKndhFG72
hxxp://demopowerindo.com/DKndhFG72

hxxp://asiaresearchcenter.org/JGHldb03m
hxxp://bnphealthcare.com/JGHldb03m	
hxxp://conxibit.com/JGHldb03m	
hxxp://cxwebdesign.de/JGHldb03m	
hxxp://diakoniestation-winnenden.de/JGHldb03m	
hxxp://download.justowin.it/JGHldb03m	
hxxp://ecofloraholland.nl/JGHldb03m	
hxxp://felixsolis.mobi/JGHldb03m	
hxxp://foodbikers.ch/JGHldb03m	
hxxp://gui-design.de/JGHldb03m	
hxxp://highpressurewelding.co.uk/JGHldb03m	
hxxp://housecafe-essen.de/JGHldb03m	
hxxp://ycgrp.jp/JGHldb03m	
hxxp://arsmakina.org/JGHldb03m
hxxp://g-peer.at/JGHldb03m
hxxp://teracom.co.id/JGHldb03m

hxxp://globalmitrateknik.com/y873fhn3iur
hxxp://hkwatercolors.com/y873fhn3iur	
hxxp://slbjuris.fr/y873fhn3iur	
hxxp://dealer.my-beads.nl/y873fhn3iur	
hxxp://lowlender.com/y873fhn3iur	
hxxp://mebel.wladimir.ru/y873fhn3iur	
hxxp://land-atlanta.net/y873fhn3iur	
hxxp://keener-music.com/y873fhn3iur	
hxxp://hydrodesign.net/y873fhn3iur	
hxxp://edificioviacapital.com.br/y873fhn3iur	
hxxp://dkck.com.tw/y873fhn3iur
hxxp://countryhome.dmw123.com/y873fhn3iur

hxxp://pyefittedfurniture.co.uk/RSkfsNR7	
hxxp://digiviews.co.uk/RSkfsNR7	
hxxp://hard-grooves.com/RSkfsNR7	
hxxp://hellonwheelsthemovie.com/RSkfsNR7	
hxxp://ryterorrephat.info/af/RSkfsNR7	
hxxp://rockrak.com/RSkfsNR7	
hxxp://viwa.homelinux.com/RSkfsNR7
hxxp://mariamandrioli.com/RSkfsNR7	
hxxp://68.171.49.151/RSkfsNR7	
hxxp://wilvreeburg.nl/RSkfsNR7

hxxp://9ninewright.net/slehGTexc	
hxxp://PamelaSparrowChilds.com/slehGTexc
hxxp://teck.fr/slehGTexc	
hxxp://weddingcarsbury.co.uk/slehGTexc	
hxxp://a-host.co.uk/slehGTexc	
hxxp://ryterorrephat.info/af/slehGTexc
hxxp://adaliyapi.com/slehGTexc	
hxxp://121-psychic-reading.co.uk/slehGTexc	
hxxp://weddingcarsrochdale.co.uk/slehGTexc
hxxp://2-wave.com/slehGTexc	
hxxp://3e.com.pt/slehGTexc	
hxxp://4advice-interactive.be/slehGTexc	
hxxp://rasbery.co.uk/slehGTexc	
hxxp://ahtwindowcleaning.co.uk/slehGTexc	
hxxp://robinsonfun.pl/slehGTexc

[1] Fortinet's Kadena Threat Intelligence System (KTIS) is an interactive platform that extracts contextual information from files, URLs, and other artefacts for more accurate malware identification, fast-tracked analysis, detailed analytics, and easier data correlation.

Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.

by RSS Floser Bacurio, Joie Salvio, Rommel Joven and Jasper Manuel  |  Sep 21, 2017  |  Filed in: Security Research