{"id":84826,"date":"2017-09-29T22:08:33","date_gmt":"2017-09-29T16:38:33","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=84826"},"modified":"2017-09-30T15:19:31","modified_gmt":"2017-09-30T09:49:31","slug":"analysis-recent-locky-ransomware-outbreak","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/analysis-recent-locky-ransomware-outbreak\/","title":{"rendered":"Analysis of recent Locky ransomware outbreak"},"content":{"rendered":"<p>Quick Heal Security Labs is observing the infamous Locky ransomware outbreak which kicked off recently in the last week of September. The outbreak started with spam email with various subjects and different attachment names.\u00a0On 26<sup>th<\/sup>\u00a0September, spam campaign\u00a0delivering\u00a0a new variant of Locky ransomware started. The observed commonality in this campaign was the attachments ended with \u2018.7z\u2019 extension. After 26<sup>th<\/sup> September, we started seeing many such instances and soon it turned out to be a major outbreak.\u00a0Let\u2019s take a look at some of the important aspects of this campaign.<\/p>\n<p><strong>Infection Chain<\/strong><\/p>\n<p>A typical infection chain starts with spam email. Below is one such spam email used in this campaign,<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-84827\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/09\/1-650x300.png\" alt=\"1\" width=\"650\" height=\"300\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/1-650x300.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/1-300x139.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/1-768x355.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/1.png 771w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><\/p>\n<p style=\"text-align: center;\">Fig 1: Spam e-mail with malicious \u2018Invoice\u2019 as an attachment<\/p>\n<p>Few subject names and attachment observed are,<\/p>\n<p>Subject Names:-<\/p>\n<ul>\n<li>Invoice PIS7316453<\/li>\n<li>03_Invoice_7137<\/li>\n<\/ul>\n<p>Attachment Names:-<\/p>\n<ul>\n<li>InvoicePIS7316453_7z.ANTIVIRUS-34287<\/li>\n<li>001_4410.7z<\/li>\n<\/ul>\n<p>As it can be seen from above, the subject names and attachments are different in every spam e-mail. This is generally done by attackers in order to evade the detection by security products.<\/p>\n<p>The common thing between these emails is the attachments with .7z extensions which contains the malicious VBS file which downloads and launches the ransomware payload.<\/p>\n<p>This variant is almost identical with the other Locky ransomware variants functionality wise with the only exception of the extension used by it for encrypted files. The extension used this time turned out to be an interesting one. It just reversed the previous well-known extension \u2018.locky\u2019 to \u2018.ykcol\u2019. Below is the screen-shot of the Locky ransom screen.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-84828\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/09\/2-539x390.png\" alt=\"2\" width=\"539\" height=\"390\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/2-539x390.png 539w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/2-300x217.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/2-768x556.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/2-789x571.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/2.png 1152w\" sizes=\"(max-width: 539px) 100vw, 539px\" \/><\/p>\n<p style=\"text-align: center;\">Fig 2: Locky Ransom screen<\/p>\n<p>Also below HTML file with the same messages is dropped on the root of every drive.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-84829\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/09\/3-520x390.png\" alt=\"3\" width=\"520\" height=\"390\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/3-520x390.png 520w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/3-300x225.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/3-768x576.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/3-789x592.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/3.png 1152w\" sizes=\"(max-width: 520px) 100vw, 520px\" \/><\/p>\n<p style=\"text-align: center;\">Fig 3: Locky ransom HTML message<\/p>\n<p>Currently there is no decryptor available for any of the Locky ransomware encrypted files and this new version of Locky is no exception to it.<\/p>\n<p><strong>Quick Heal &amp; Seqrite\u00a0protects against this outbreak of Locky ransomware through its multi-layered security offering. <\/strong><\/p>\n<p><strong>Indicator of Compromise<\/strong><\/p>\n<ul>\n<li>b035ddc1f0738c3f90cb5c0b804e1775<\/li>\n<li>efdb6033dccf27fe103b8fc13bc4f2d7<\/li>\n<\/ul>\n<p><strong>Subject Matter Experts <\/strong><\/p>\n<p>Shalaka Patil|Swapnil Nigade|Shriram Munde<\/p>\n<p>Quick Heal Security Labs<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Quick Heal Security Labs is observing the infamous Locky ransomware outbreak which kicked off recently in the last week of September. The outbreak started with spam email with various subjects and different attachment names.\u00a0On 26th\u00a0September, spam campaign\u00a0delivering\u00a0a new variant of Locky ransomware started. The observed commonality in this campaign was the attachments ended with \u2018.7z\u2019 [&hellip;]<\/p>\n","protected":false},"author":30,"featured_media":84830,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1497,1498,1499],"class_list":["post-84826","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-analysis-of-recent","tag-locky","tag-ransomware-outbreak"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84826"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/30"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=84826"}],"version-history":[{"count":3,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84826\/revisions"}],"predecessor-version":[{"id":84833,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84826\/revisions\/84833"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/84830"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=84826"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=84826"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=84826"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}