Win32/Filecoder.Locky [Threat Name] go to Threat
Win32/Filecoder.Locky.A [Threat Variant Name]
Category | trojan |
Size | 139776 B |
Aliases | Ransom:Win32/Locky.A (Microsoft) |
Trojan.Win32.Reconyc.ffmh (Kaspersky) |
Short description
Win32/Filecoder.Locky.A is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
Installation
When executed, the trojan copies itself into the following location:
- %temp%\svchost.exe
The file is then executed.
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "Locky" = "%temp%\svchost.exe"
Payload information
Win32/Filecoder.Locky.A is a trojan that encrypts files on fixed, removable and network drives.
The trojan searches for files with the following file extensions:
- .123
- .602
- .3dm
- .3ds
- .3g2
- .3gp
- .7z
- .aes
- .ARC
- .asc
- .asf
- .asm
- .asp
- .avi
- .bak
- .bat
- .bmp
- .brd
- .c
- .cgm
- .class
- .cmd
- .cpp
- .crt
- .cs
- .csr
- .CSV
- .db
- .dbf
- .dch
- .dif
- .dip
- .djv
- .djvu
- .DOC
- .docb
- .docm
- .docx
- .DOT
- .dotm
- .dotx
- .fla
- .flv
- .frm
- .gif
- .gpg
- .gz
- .h
- .hwp
- .ibd
- .jar
- .java
- .jpeg
- .jpg
- .js
- .key
- .lay
- .lay6
- .ldf
- .m3u
- .m4u
- .max
- .mdb
- .mdf
- .mid
- .mkv
- .mml
- .mov
- .mp3
- .mp4
- .mpeg
- .mpg
- .ms11
- .ms11 (Security copy)
- .MYD
- .MYI
- .NEF
- .odb
- .odg
- .odp
- .ods
- .odt
- .otg
- .otp
- .ots
- .ott
- .p12
- .PAQ
- .pas
- .pem
- .php
- .pl
- .pl
- .png
- .pot
- .potm
- .potx
- .ppam
- .pps
- .ppsm
- .ppsx
- .PPT
- .pptm
- .pptx
- .psd
- .qcow2
- .rar
- .raw
- .rb
- .RTF
- .sch
- .sh
- .sldm
- .sldx
- .slk
- .sql
- .SQLITE3
- .SQLITEDB
- .stc
- .std
- .sti
- .stw
- .svg
- .swf
- .sxc
- .sxd
- .sxi
- .sxm
- .sxw
- .tar
- .tar.bz2
- .tbk
- .tgz
- .tif
- .tiff
- .txt
- .uop
- .uot
- .vb
- .vbs
- .vdi
- .vmdk
- .vmx
- .vob
- .wav
- .wb2
- .wk1
- .wks
- .wma
- .wmv
- .xlc
- .xlm
- .XLS
- .xlsb
- .xlsm
- .xlsx
- .xlt
- .xltm
- .xltx
- .xlw
- .xml
- .zip
The trojan searches for files which contain any of the following strings in their file name:
- wallet.dat
It avoids those with any of the following strings in their names:
- $Recycle.Bin
- _Locky_recover_instructions.bmp
- _Locky_recover_instructions.txt
- AppData
- Application Data
- Boot
- Program Files
- Program Files (x86)
- System Volume Information
- temp
- thumbs.db
- tmp
- Windows
- winnt
The trojan encrypts the file content.
The name of the encrypted file is changed to:
- %variable%.locky
A string with variable content is used instead of %variable% .
The following file is dropped into the %currentfolder%, %desktop% folder:
- _Locky_recover_instructions.txt
It contains the following text:
To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.
When files encryption is finished, the trojan removes itself from the computer.
Information stealing
The trojan collects the following information:
- information about the operating system and system settings
- list of encrypted files
The trojan contains a list of (7) URLs. The HTTP protocol is used in the communication.
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan keeps various information in the following Registry key:
- [HKEY_CURRENT_USER\Software\Locky]
The trojan executes the following command:
- vssadmin.exe Delete Shadows /All /Quiet
The trojan creates the following files:
- %desktop%\_Locky_recover_instructions.bmp
This file/image is set as a wallpaper.
Some examples follow.