Locky ransomware virus spreading via Word documents
Updated 17th February 2016 at 1pm GMT
The email users get look a bit like this:
Attached is an Invoice Word document. It talks about remit payments. Virustotal here.
If Office macros are enabled it drops ladybi.exe, Virustotal here.
AV coverage is very poor - after over 24 hours in the wild, only 3 very niche vendors detect it. Update: most major antivirus products now detect, with the latest updates.
That loads itself into memory, deletes itself, encrypts your documents as hash.locky files, changes the desktop wallpaper, drops a .bmp file and opens it, drops a .txt file and opens it, and delete VSS snapshots. Encrypted files can include network files.
I have intercepted one of the unregistered domain names, which has given me visibility of infected networks.
Here is a very small sample of the spread:
Please note the Locky delivery email is translated to various languages, and localised per region.
I am seeing around 4000 new infections per hour (from one of many domain names used by the software), or approximately 100,000 new infections per day (on the 3rd day of distribution). Because I can only see a portion of the traffic I believe the real numbers will be higher. The amount of connections (which occur on encryption) are vast and suggest this is a highly successful and damaging attack.
To recover your files you need to look for backups. If your backups are network based, you may have a problem as these may also be ransomed. I do not recommend paying ransoms.
Identifying infected network users
If you see .locky extension files appearing on your network shares, look up the file owner on _Locky_recover_instructions.txt file in each folder. This will tell you the infected user. Lock their AD user and computer account immediately and boot them off the network — you will likely have to rebuild their PC from scratch.
I strongly recommend you look into securing Microsoft Office in your environment. You can do this with half an hours work — if you fail to do this step, you will keep getting hit.
Communication via hxxp://126.96.36.199/main.php
Attempt to contact domains xfyubqmldwvuyar.yt, luvenxj.uk, kpybuhnosdrm.in, dkoipg.pw - these currently aren’t registered.
Creates registry key HKEY_CURRENT_USER\Software\Locky
Payload SHA256 17c3d74e3c0645edb4b5145335b342d2929c92dff856cca1a5e79fa5d935fec2 - Sophos will later today detect as Troj/Ransom-CGR
Dropper SHA256 97b13680d6c6e5d8fff655fe99700486cbdd097cfa9250a066d247609f85b9b9 - Sophos will later today detect as Troj/DocDl-BAI