Locky ransomware is the top encryption virus for 2016. Throughout the year, the developers of the malicious program have appended many changes to its code and specifications. The file extension is switched in most modifications. The last couple of times the proprietors of Locky decided to make changes, they dedicated the file extensions to mythological deities.
After naming the custom suffix after a Norse god, they switched to an Egyptian god with the latest modification. Yesterday, independent researcher R0bert R0senb0rg reported that he had discovered a version of Locky which uses the OSIRIS file extension. Later that day, the propagation vector of the virus was revealed by another researcher, registered as operations6 on Twitter.
The latest Locky variant uses Excel email attachments which contain malicious macros, capable of downloading and installing the program. Malware analyst Jiri Kropac was able to detect spam emails which spread the virus. The containing messages talk about an invoice. The subject line contains the phrase Invoice Inv[random numbers]. The data of Locky are contained inside an attachment, titled Invoice_Inv[random numbers].xls.
It would appear that the hackers behind Locky have failed to observe the details when devising the spreadsheet. For the first time since the program’s inception, there is a clue about their origin. The document has one sheet, titled Лист1. To explain, “лист“ is the word for “sheet” in several Slavic languages: Russian, Bulgarian, Ukrainian, Serbian and Macedonian. Unless this is just an elaborate hoax, the cyber criminals are probably from one of these countries.
When the user opens the spreadsheet, he is asked to enable macros in order to view its contents. The document shown is blank. Allowing the macro to run would lead to Locky getting downloaded and installed to the computer.
The first step of the process is to launch a VBA macro. It downloads a DLL file. The Rundll32.exe program is used to execute it. Rundll32.exe is a legitimate Windows component which the system requires to run properly. Hackers often exploit it to download and install malware to the computer.
The malicious DLL file is downloaded to the folder %Temp%. It is disguised with a fake format. The hackers use a command to execute the malicious installer. The bogus file extension and the command can vary in separate cases. Researchers have identified an installer which uses the SPE suffix and the following command line: rundll32.exe C:\Users\User\AppData\Local\Temp\shtefans1.spe,plan
When Locky has been installed to the targeted machine, it commences its usual processes. The virus encrypts the vulnerable file types. The infected items are marked with the OSIRIS file extension and the ID number the ransomware has assigned to the victim. All infected files receive the same name. Locky utilizes the following formula: [8 hexadecimal characters]–[4 hexadecimal characters]–[4 hexadecimal characters]–[8 hexadecimal characters]–[12 hexadecimal characters].osiris.
After the encryption has been completed, the program drops four ransom notes. They inform victims about the actions of the virus and state the demands of the cyber criminals. The names of the ransom notes have been changed for this variant of Locky ransomware. They are titled DesktopOSIRIS.bmp, DesktopOSIRIS.htm, OSIRIS-[4 numbers].htm and OSIRIS-[4 numbers].htm.
The ransom notes whose names begin with “Desktop” are not placed on the user’s desktop. This is a mistake, made by the developers of the program. They should have been stored on the desktop under the names OSIRIS.bmp and OSIRIS.htm. The explanation is that the coders have forgotten to add a trailing backlash after the word “Desktop”. As a result, the notes are stored into the %UserProfile% directory with “Desktop” prepended to their designated names.
As we alluded to earlier, Locky has withstood the test of time. The ransomware’s code has not been broken to date. The only way users may be able to restore their data without paying the ransom is by using the Shadow Volume Copies of the encrypted files. The virus will try to delete them, but it may fail. There are several tools which can assist in the file recovery, including ShadowExplorer, Recuva, Puran File Recovery, Disk Drill and Glary Undelete.