This year, Locky has been one of the most popular ransomware families. According to Avira security experts, now the threat is even capable of encrypting files without connecting to a command and control (C&C) server.
Normally, malware receive regular updates in order to expand their functionality, and Locky is not an exclusion. Since its appearance in February 2016, the threat has seen a number of improvements. Apart from being distributed via spam emails containing Office documents with malicious macros, since March, Locky was seen leveraging JavaScript attachments as well.
In April, this year, Locky ransomware changed communication patterns and started using the Nuclear exploit kit for distribution. A bit later, in May, while still using JavaScript attachments for distribution, Locky was noticed leveraging VBA modules in documents in order to avoid detection by security software.
However, the latest development in Locky’s evolution, makes its detection far more difficult, due to the fact that it enters an offline encryption mode if all attempts to connect to the C&C file. According to the Avira experts, the improvement was registered on July 12, ensuring that the ransomware can still perform its nefarious operations even if its Internet connectivity was blocked.
Locky’s behavior is quite similar to that of Bart ransomware – the malware which came out last month and was associated with the group behind Dridex and Locky. Unlike other threats, Bart didn’t require an Internet connection to perform encryption, but instead, it relied on a distinct victim identifier to inform the operator what decryption key should be used.
Being launched, the latest version of Locky tries to connect to the C&C servers stored in its configuration file, and to the C&C servers from the Domain generation algorithm (DGA) after that. In case it fails, Locky repeats the process for all C&Cs, then it tries a server address from the configuration file. If the second attempt fails too, the malware would enter the offline encryption mode.
“Previously, a system administrator could block all CnC connections and keep Locky from encrypting any files on the system. Those days are over now. Locky has now reduced the chances for potential victims to avert an encryption disaster,” says the specialist at Avira Moritz Kroll.
The Avira security team claims that the offline encryption mode kicks in about one or two minutes after the ransomware is executed, which means that an admin observing the rogue traffic would have very little time to act and shut down the computer before the encryption starts.
Another thing that the experts noticed is that, when in offline mode, Locky ransomware is not able to get a victim-specific public key, because it cannot directly register a victim ID with the server. This means that the threat uses a public key from the configuration file and generates a special ID for payment. However, it also means that the same key is used for all offline encryptions and that, after a victim has paid the ransom for their private key ID, it should be possible to reuse the same key for other victims with the same public key.
Despite being inactive at the beginning of last month, now Locky is back again. According to the F-Secure researchers, the most recent distribution campaigns of Locky hit a new high with more than 120,000 spam emails per hour, which is around 200 times more than normal. Last week, the campaign reached a total of 120,000 spam emails daily between Wednesday and Friday, with a peak of 30,000 hits hourly.
