LOCKY RANSOMWARE  





Published on: 14 March, 2018

Multiple malicious JS files were reported attempting to download and install LOCKY RANSOMWARE on client machines. When executed successfully, the script attempts to download a payload from its C2 server using an HTTP GET request. The downloaded payload is installed and executed from "%TEMP%\.exe".

GET Requests:


  1. getraenke-weichmann[[D0T] ]de/65JKjbh??RfMAqBR=RfMAqBR
  2. gmstandard[D0T] org/ersfy65??rvLmLreIQu=rvLmLreIQu
  3. galvestonbusiness[D0T] com/ /ersfy65??lpFPyL=lpFPyL
  4. mm7758[D0T] com/89yhFA?
  5. 74jhdrommdtyis[[D0T] ]net/af/89yhF
  6. apositive[D0T] be/y872ff2f?
  7. dbr663dnbssfrodison[D0T] net/af/y872ff2f
  8. themeastralgratuit[D0T] com/y872ff2f?
  9. dbr663dnbssfrodison[D0T] net/af/y872ff2
  10. oyasinsaat[D0T] com[D0T] tr/86hHYU6?" "74jhdrommdtyis[D0T] net/af/86hHYU6

The malware gathers the following information about the victim's system: Operating system version OS architecture Local language ==>To determine the language of the ransom note Unique identifier The victim's system information is collected and stored in the following value format:

Format:


&act=getkey&affid=.unknown..&serv=..&lang=..&corp=..&x64=..&v=2..&os=..&sp..id

Sample data collected:


id=497E2246AB86E112&act=getkey&affid=3&lang=en&corp=0&serv=0&os=Windows+7&sp=1&x64=0&v=2

The malware computes a hash of the victim's data and uses a custom algorithm to encrypt and encode the victim's data before exfiltration using an HTTP POST request. The POST data contains the hash value and the victim's data.The malware encrypts the local files on the victim's system and network shares using the RSA-2048 and AES-128 ciphers. It renames the encrypted files to random characters appended with a ".lukitus" extension using the following format:
Format [8 random characters]-[4 randomcharacters]-[4 random characters]-[8 random characters]-[12 random characters].lukitus

Sample observed:


"RJ9EZSP9-ZB0G-1N0A-738261A4-CC3BAB15B694.lukitus"

Encrypted file name format:


"RJ9EZSP9-ZB0G-1N0A-738261A4-CC3BAB15B694.lukitus"
The malware displays a ransom note with payment instructions on how to decrypt the encrypted files.

IOC's:


  1. getraenke-weichmann.de
  2. gmstandard.org
  3. galvestonbusiness.com
  4. mm7758.com
  5. 74jhdrommdtyis.net
  6. dbr663dnbssfrodison.net
  7. apositive.be
  8. themeastralgratuit.com
  9. oyasinsaat.com.tr

IP's:


  1. 3.138.80.111
  2. 1.47.74.104
  3. 6.17.141.70
  4. 08.167.146.54
  5. 4.77.102.100
  6. 4.73.148.80
  7. 92.162.103.118
  8. .187.5.171
  9. 2.202.201.8
  10. 31.202.130.9
  11. 91.234.35.106
  12. 83.217.8.61

MD5 Hashes:


  1. 243efa57c6d17ed6285f68b2dad78a74 (JPEG_0103.vbs)
  2. 29527cf9d27e9f12268af4e5a94bf0a5 (E 2017-08-09 (589).vbs)
  3. 2b831b0f953cdba1ca13a920e09e9639 (20170821_05460100.js)
  4. 4d77dc45d29b4fa909e591ac8081cb44 (20170822_02715200.js)
  5. 8b15a0bb16fe9f1e1e93ca177555d1ff (9705970902.vbs)
  6. ace1f1af625baee0e31f313be01990aa (E 2017-08-09 (808).vbs)
  7. 609e3dc8946d82e7761012a6f2f408 (20170822_02346800.js)
  8. e35c9d795e7fb1db54465ef46d70efe6 (86hHYU6)

Recommendations:


  1. Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process.
  2. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  3. Regularly check the contents of backup files of databases for any unauthorized encrypted contents of data records or external elements, (backdoors /malicious scripts.)
  4. Establish a Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
  5. Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths.
  6. Ransomware sample drops and executes generally from these locations.
  7. Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems begin. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
  8. Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
  9. Consider encrypting the confidential data as the ransomware generally targets common file types.