Win32/Filecoder.Locky [Threat Name] go to Threat

Win32/Filecoder.Locky.H [Threat Variant Name]

Category trojan
Size 269824 B
Aliases Trojan-Ransom.Win32.Locky.amc (Kaspersky)
  Ransom:Win32/Locky.A (Microsoft)
Short description

Win32/Filecoder.Locky.H is a trojan that encrypts files on fixed, removable and network drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

When executed, the trojan copies itself into the following location:

  • %temp%\­svchost.exe

The file is then executed.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "opt321" = "%malwarefilepath%"
Payload information

Win32/Filecoder.Locky.H is a trojan that encrypts files on fixed, removable and network drives.


The trojan searches for files with the following file extensions:

  • .001
  • .002
  • .003
  • .004
  • .005
  • .006
  • .007
  • .008
  • .009
  • .010
  • .011
  • .123
  • .3dm
  • .3ds
  • .3g2
  • .3gp
  • .602
  • .7z
  • .aes
  • .apk
  • .ARC
  • .asc
  • .asf
  • .asm
  • .asp
  • .asset
  • .avi
  • .bak
  • .bat
  • .bik
  • .bmp
  • .brd
  • .bsa
  • .c
  • .cgm
  • .class
  • .cmd
  • .cpp
  • .crt
  • .cs
  • .csr
  • .CSV
  • .d3dbsp
  • .das
  • .db
  • .dbf
  • .dch
  • .dif
  • .dip
  • .djv
  • .djvu
  • .DOC
  • .docb
  • .docm
  • .docx
  • .DOT
  • .dotm
  • .dotx
  • .fla
  • .flv
  • .forge
  • .frm
  • .gif
  • .gpg
  • .gz
  • .h
  • .hwp
  • .ibd
  • .iwi
  • .jar
  • .java
  • .jpeg
  • .jpg
  • .js
  • .key
  • .lay
  • .lay6
  • .lbf
  • .ldf
  • .litemod
  • .litesql
  • .ltx
  • .m3u
  • .m4a
  • .m4u
  • .max
  • .mdb
  • .mdf
  • .mid
  • .mkv
  • .mml
  • .mov
  • .mp3
  • .mp4
  • .mpeg
  • .mpg
  • .ms11
  • .ms11 (Security copy)
  • .MYD
  • .MYI
  • .n64
  • .NEF
  • .odb
  • .odg
  • .odp
  • .ods
  • .odt
  • .onetoc2
  • .otg
  • .otp
  • .ots
  • .ott
  • .p12
  • .PAQ
  • .pas
  • .pdf
  • .pem
  • .php
  • .pl
  • .png
  • .pot
  • .potm
  • .potx
  • .ppam
  • .pps
  • .ppsm
  • .ppsx
  • .PPT
  • .pptm
  • .pptx
  • .psd
  • .pst
  • .qcow2
  • .rar
  • .raw
  • .rb
  • .re4
  • .RTF
  • .sav
  • .sch
  • .sh
  • .sldm
  • .sldx
  • .slk
  • .sql
  • .SQLITE3
  • .SQLITEDB
  • .stc
  • .std
  • .sti
  • .stw
  • .svg
  • .swf
  • .sxc
  • .sxd
  • .sxi
  • .sxm
  • .sxw
  • .tar
  • .tar.bz2
  • .tbk
  • .tgz
  • .tif
  • .tiff
  • .txt
  • .uop
  • .uot
  • .upk
  • .vb
  • .vbs
  • .vdi
  • .vmdk
  • .vmx
  • .vob
  • .wallet
  • .wav
  • .wb2
  • .wk1
  • .wks
  • .wma
  • .wmv
  • .xlc
  • .xlm
  • .XLS
  • .xlsb
  • .xlsm
  • .xlsx
  • .xlt
  • .xltm
  • .xltx
  • .xlw
  • .xml
  • .zip

The trojan searches for files which contain any of the following strings in their file name:

  • wallet.dat

It avoids those with any of the following strings in their names:

  • Windows
  • Boot
  • System Volume Information
  • $Recycle.Bin
  • thumbs.db
  • temp
  • Program Files
  • Program Files (x86)
  • AppData
  • Application Data
  • winnt
  • tmp
  • _Locky_recover_instructions.txt
  • _Locky_recover_instructions.bmp
  • _HELP_instructions.txt
  • _HELP_instructions.bmp
  • _HELP_instructions.html

The trojan encrypts the file content.


The name of the encrypted file is changed to:

  • %variable%.zepto

A string with variable content is used instead of %variable% .


The RSA1024, RSA2048, AES128 encryption algorithm is used.


To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.


The trojan creates the following files:

  • %desktop%\­_HELP_instructions.html

When searching the drives, the trojan creates the following file in every folder visited:

  • _%number%_HELP_instructions.html

A variable numerical value is used instead of %number% .


It contains the following text:

  • !!! IMPORTANT INFORMATION !!!!
  • All of your files are encrypted with RSA-2048 and AES-128 ciphers.
  • More information about the RSA and AES can be found here:
  • https://en.wikipedia.org/wiki/RSA_(cryptosystem)
  • https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
  • Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
  • To receive your private key follow one of the links:
  • 1. http://%removed%.tor2web.org/%removed%
  • 2. http://%removed%.onion.to/%removed%
  • If all of this addresses are not available, follow these steps:
  • 1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html
  • 2. After a successful installation, run the browser and wait for initialization.
  • 3. Type in the address bar: %removed%.onion/%removed%
  • 4. Follow the instructions on the site.
  • !!! Your personal identification ID: %removed% !!!

When files encryption is finished, the trojan removes itself from the computer.

Information stealing

The trojan collects the following information:

  • information about the operating system and system settings
  • information about encrypted files

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (1) URLs. The HTTP protocol is used in the communication.

Other information

The trojan executes the following command:

  • %system%\­vssadmin.exe Delete Shadows /Quiet /All

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Control Panel\­Desktop]
    • "WallpaperStyle" = "0"
    • "TileWallpaper" = "0"

The trojan creates the following files:

  • %desktop%\­_HELP_instructions.bmp

This file/image is set as a wallpaper.


Some examples follow.

Please enable Javascript to ensure correct displaying of this content and refresh this page.