Locky is a new cyberthreat that has received a lot of attention in security circles over the last few months because it has been unusually successful. Locky is advanced ransomware that encrypts a person’s files and holds them for ransom. It uses a number of different technologies to avoid being detected or blocked and takes great care to hide its path back to the attackers. The code is obfuscated to avoid detection by antivirus and malware software. The blackmailers communicate through TOR and only accept Bitcoin as payment, making it nearly impossible to discover who they are.
Delivered through aggressive spam campaigns (typically claiming to be an invoice) Locky has had a surprisingly high infection rate. This may be due to intensive social media scraping to improve message targeting (sort of like an automated version of spear phishing). Despite built-in warnings about the dangers of enabling macros, and years of commentary about not clicking on anything in unknown emails, Locky manages to entice even trained IT staff to activate downloads by clicking on obscured messages.
Once a download has completed, Locky needs to connect with its Command & Control (C&C) to get a public key to use for encryption. There are three known mechanisms for Locky to reach its C&C hosts: the first is direct IP communication; the second is a number of fixed domains; and the third is a time-based Domain Generation Algorithm (DGA) that creates a set of random-looking domains that are only valid for a few days. A primary part of Nominum’s security research is identifying C&C connection mechanisms. When these communications are blocked Locky can’t obtain encryptions keys, so infected users are temporarily protected.
The DGA used by Locky to generate domains and get encryption keys is seeded with the current time period and a secret key, making it much harder to block new domains quickly. Locky changes keys frequently, and reverse engineering current versions of the malware to discover each new key takes time. Every key change extends the life of the exploit, so until there is an accurate way to identify traffic associated with Locky, it can’t be permanently blocked.
Nominum Data Science uses a worldwide feed of anonymized DNS queries along with proprietary anomaly detection and correlation technology to identify suspected domains used by Locky to download encryption keys in real time. ForcePoint has done some work to reverse engineer the DGA used by Locky. By using the existing DGA and conducting some additional processing of suspect domains, it’s possible to quickly determine new seeds used by Locky—and then enumerate all of the potential new domains Locky will use in the near future.
Locky currently has four active seeds. The most recent two are shown below along with a sample of the corresponding domains they generate that appeared May 31 (there are other active seeds, but these are the two latest):
Domains generated by seed 7773
Domains generated by seed 9056
Using the reverse engineered DGA and additional algorithmic processing, Nominum Data Science identifies new C&C domains used by Locky to get encryption keys and adds them to N2 ThreatAvert block lists. Service providers that use Nominum N2 ThreatAvert can protect their subscribers from having their files encrypted. Currently, this is the best defense against Locky. N2 Secure Consumer also blocks known Locky download domains, which proactively protects subscribers from getting infected with Locky malware.
Locky provides ample evidence that attackers are continuously innovating. Staying one step ahead requires deep expertise and real-time processing of massive, worldwide data sets to uncover malicious activity. Nominum Data Science has a long track record of identifying new threats—from malware, to DNS-based DDoS, to DNS tunnels that are used to steal service. N2 ThreatAvert takes advantage of this advanced research to provide accurate, automated and adaptive protections for both networks and subscribers.