Win32/Filecoder.Locky [Threat Name] go to Threat

Win32/Filecoder.Locky.A [Threat Variant Name]

Category trojan
Size 139776 B
Detection created Feb 17, 2016
Detection database version 13043
Aliases Ransom:Win32/Locky.A (Microsoft)
  Trojan.Win32.Reconyc.ffmh (Kaspersky)
Short description

Win32/Filecoder.Locky.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan copies itself into the following location:

  • %temp%\­svchost.exe

The file is then executed.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Locky" = "%temp%\­svchost.exe"
Payload information

Win32/Filecoder.Locky.A is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files with the following file extensions:

  • .123
  • .602
  • .3dm
  • .3ds
  • .3g2
  • .3gp
  • .7z
  • .aes
  • .ARC
  • .asc
  • .asf
  • .asm
  • .asp
  • .avi
  • .bak
  • .bat
  • .bmp
  • .brd
  • .c
  • .cgm
  • .class
  • .cmd
  • .cpp
  • .crt
  • .cs
  • .csr
  • .CSV
  • .db
  • .dbf
  • .dch
  • .dif
  • .dip
  • .djv
  • .djvu
  • .DOC
  • .docb
  • .docm
  • .docx
  • .DOT
  • .dotm
  • .dotx
  • .fla
  • .flv
  • .frm
  • .gif
  • .gpg
  • .gz
  • .h
  • .hwp
  • .ibd
  • .jar
  • .java
  • .jpeg
  • .jpg
  • .js
  • .key
  • .lay
  • .lay6
  • .ldf
  • .m3u
  • .m4u
  • .max
  • .mdb
  • .mdf
  • .mid
  • .mkv
  • .mml
  • .mov
  • .mp3
  • .mp4
  • .mpeg
  • .mpg
  • .ms11
  • .ms11 (Security copy)
  • .MYD
  • .MYI
  • .NEF
  • .odb
  • .odg
  • .odp
  • .ods
  • .odt
  • .otg
  • .otp
  • .ots
  • .ott
  • .p12
  • .PAQ
  • .pas
  • .pdf
  • .pem
  • .php
  • .pl
  • .pl
  • .png
  • .pot
  • .potm
  • .potx
  • .ppam
  • .pps
  • .ppsm
  • .ppsx
  • .PPT
  • .pptm
  • .pptx
  • .psd
  • .qcow2
  • .rar
  • .raw
  • .rb
  • .RTF
  • .sch
  • .sh
  • .sldm
  • .sldx
  • .slk
  • .sql
  • .SQLITE3
  • .SQLITEDB
  • .stc
  • .std
  • .sti
  • .stw
  • .svg
  • .swf
  • .sxc
  • .sxd
  • .sxi
  • .sxm
  • .sxw
  • .tar
  • .tar.bz2
  • .tbk
  • .tgz
  • .tif
  • .tiff
  • .txt
  • .uop
  • .uot
  • .vb
  • .vbs
  • .vdi
  • .vmdk
  • .vmx
  • .vob
  • .wav
  • .wb2
  • .wk1
  • .wks
  • .wma
  • .wmv
  • .xlc
  • .xlm
  • .XLS
  • .xlsb
  • .xlsm
  • .xlsx
  • .xlt
  • .xltm
  • .xltx
  • .xlw
  • .xml
  • .zip

The trojan searches for files which contain any of the following strings in their file name:

  • wallet.dat

It avoids those with any of the following strings in their names:

  • $Recycle.Bin
  • _Locky_recover_instructions.bmp
  • _Locky_recover_instructions.txt
  • AppData
  • Application Data
  • Boot
  • Program Files
  • Program Files (x86)
  • System Volume Information
  • temp
  • thumbs.db
  • tmp
  • Windows
  • winnt

The trojan encrypts the file content.


The name of the encrypted file is changed to:

  • %variable%.locky

A string with variable content is used instead of %variable% .


The following file is dropped into the %currentfolder%, %desktop% folder:

  • _Locky_recover_instructions.txt

It contains the following text:

!!! IMPORTANT INFORMATION !!!! All of your files are encrypted with RSA-2048 and AES-128 ciphers. More information about the RSA and AES can be found here: https://en.wikipedia.org/wiki/RSA_(cryptosystem) https://en.wikipedia.org/wiki/Advanced_Encryption_Standard Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server. To receive your private key follow one of the links: 1. http://6dtxgqam4crv6rr6.tor2web.org/%removed% 2. http://6dtxgqam4crv6rr6.onion.to/%removed% 3. http://6dtxgqam4crv6rr6.onion.cab/%removed% 4. http://6dtxgqam4crv6rr6.onion.link/%removed% If all of this addresses are not available, follow these steps: 1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: %removed%.onion/%removed% 4. Follow the instructions on the site. !!! Your personal identification ID: %removed% !!!

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


When files encryption is finished, the trojan removes itself from the computer.

Information stealing

The trojan collects the following information:

  • information about the operating system and system settings
  • list of encrypted files

The trojan contains a list of (7) URLs. The HTTP protocol is used in the communication.


The trojan attempts to send gathered information to a remote machine.

Other information

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Locky]

The trojan executes the following command:

  • vssadmin.exe Delete Shadows /All /Quiet

The trojan creates the following files:

  • %desktop%\­_Locky_recover_instructions.bmp

This file/image is set as a wallpaper.


Some examples follow.

Please enable Javascript to ensure correct displaying of this content and refresh this page.