Published on: 14 March, 2018
Multiple malicious JS files were reported attempting to download and install LOCKY RANSOMWARE on client machines.
When executed successfully, the script attempts to download a payload from its C2 server using an HTTP GET request.
The downloaded payload is installed and executed from "%TEMP%\<Random>.exe".
- getraenke-weichmann[[D0T] ]de/65JKjbh??RfMAqBR=RfMAqBR
- gmstandard[D0T] org/ersfy65??rvLmLreIQu=rvLmLreIQu
- galvestonbusiness[D0T] com/ /ersfy65??lpFPyL=lpFPyL
- mm7758[D0T] com/89yhFA?
- 74jhdrommdtyis[[D0T] ]net/af/89yhF
- apositive[D0T] be/y872ff2f?
- dbr663dnbssfrodison[D0T] net/af/y872ff2f
- themeastralgratuit[D0T] com/y872ff2f?
- dbr663dnbssfrodison[D0T] net/af/y872ff2
- oyasinsaat[D0T] com[D0T] tr/86hHYU6?" "74jhdrommdtyis[D0T] net/af/86hHYU6
The malware gathers the following information about the victim's system: Operating system version OS architecture Local language ==>To determine the language of the ransom note Unique identifier
The victim's system information is collected and stored in the following value format:
Sample data collected:
The malware computes a hash of the victim's data and uses a custom algorithm to encrypt and encode
the victim's data before exfiltration using an HTTP POST request. The POST data contains the hash
value and the victim's data.The malware encrypts the local files on the victim's system and network
shares using the RSA-2048 and AES-128 ciphers. It renames the encrypted files to random characters
appended with a ".lukitus" extension using the following format:
Format [8 random characters]-[4 randomcharacters]-[4 random characters]-[8 random characters]-[12 random characters].lukitus
Encrypted file name format:
The malware displays a ransom note with payment instructions on how to decrypt the encrypted files.
- 243efa57c6d17ed6285f68b2dad78a74 (JPEG_0103.vbs)
- 29527cf9d27e9f12268af4e5a94bf0a5 (E 2017-08-09 (589).vbs)
- 2b831b0f953cdba1ca13a920e09e9639 (20170821_05460100.js)
- 4d77dc45d29b4fa909e591ac8081cb44 (20170822_02715200.js)
- 8b15a0bb16fe9f1e1e93ca177555d1ff (9705970902.vbs)
- ace1f1af625baee0e31f313be01990aa (E 2017-08-09 (808).vbs)
- 609e3dc8946d82e7761012a6f2f408 (20170822_02346800.js)
- e35c9d795e7fb1db54465ef46d70efe6 (86hHYU6)
- Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process.
- Ideally, this data should be kept on a separate device, and backups should be stored offline.
- Regularly check the contents of backup files of databases for any unauthorized encrypted contents of data records or external elements, (backdoors /malicious scripts.)
- Establish a Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
- Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths.
- Ransomware sample drops and executes generally from these locations.
- Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems begin. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
- Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
- Consider encrypting the confidential data as the ransomware generally targets common file types.