Locky Malware
Abstract
Locky is a ransomware strain which emerged in 2016, and takes advantage of social engineering techniques and the power of Microsoft Office’s macros feature to trick users into running a script which encrypts data on the user’s machine, and then offers to transmit the key to decrypt the information and return control to the user if the ransom is paid.
Few details exist regarding the identity of the original authors of the Locky ransomware, and currently there is no known way to break the encryption and return the data without first paying the ransom. CUrrent advice is geared towards preventing downloading the ransomware in the first place as opposed to what steps to take after infection.
What is Locky Ransomware?
Locky is a specific strain of ransomware that was introduced in late 2015/early 2016 [1]. Like other forms of ransomware, when this malware infects your computer, it has the power to encrypt all of your files. The most certain way of decrypting your files is by paying the ransom. A typical Locky case has an average payout of 0.5-1 bitcoins. This affects around 90,000 devices per day, of which about 2.9% of people pay the ransom [2]. As a result, there is potential for the attackers to earn over $1,000,000 per day. Because of the high potential earnings, the incentive for these typical Locky cases is to spam as many devices as possible in order to collect the most amount of money possible.
In addition to these typical cases, there have also been high profile cases that have been sensationalized by the media. These high profile cases involve a significantly higher payout than the typical Locky case as these attacks are aimed at industries where access to their data is essential to their operation i.e. hospitals, police stations, or transportation offices. The highest profile case of a Locky attack occurred at The Hollywood Presbyterian Medical center where the attackers demanded a 40 bitcoin ransom[3]. In this instance, the hospital’s access to its data was so important that they paid it immediately and without contacting the police. As a result, the incentive for higher profile cases such is similar to a typical Locky case but the attackers are looking for a higher payout. It is important to remember however, although the media reports on these high profile cases, they are not what representative of the majority of Locky attacks. Over 90,000 devices are attacked per day with a ransom demand that is a fraction of what the Hollywood Presbyterian Medical Center paid.
Infection Vector
The mode of infection for Locky is by a phishing email [4]. Typically, the email will attempt to appear credible, disguising itself as something such as an invoice. Attached to these emails, the victim will find some Microsoft office document. It is not the document itself that is harmful, but the macros that come with it. Thus, simply opening the document will not infect your computer with malware. Instead, Locky relies on the user themselves to enable the macros associated with the document. In order to do this, the attackers will use social engineering to convince the user to enable the macros. One way they have been known to do that, is by sending a word document that appears as complete nonsense except for text at the top of the page. This text suggests the user disable macros if they are unable to read anything below. The typical user who would fall prey to phishing attacks such as these, may lack the computer literacy to understand the full power of macros and why they could be so detrimental to enable. As a result, the user may end up overriding safety features and enabling the macros themselves.
Macros
Macros were introduced to Microsoft Office in the 1990s. They were intended to be used to automate long and tedious tasks that would otherwise be impossible to complete without them. Essentially, they are visual basic script, meaning that they have the same permissions and power as any other script that you may have written locally on your own computer [5]. However, internet safety was not a primary concern during the inception of macros. As a result, there has been malware that has exploited the fact that macros are scripts that are run on your computer. Microsoft attempted to address this by having macros automatically viewed in “Safe Mode” for any documents downloaded from the internet. This means that macros will not automatically be downloaded. However, as mentioned before, the user will still have the power to override these safety features themselves and run the macros, ultimately allowing the Locky malware to begin execution.
Planting Roots
Once the malware is installed, Locky makes preparations to embed itself further into the system. To accomplish this, Locky first copies itself into the Temp directory and subsequently renames itself svchost.exe [1]. svchost.exe is a common Windows process, so anti-virus and anyone inspecting the programs executing will not be surprised to see it running [6]. Locky also removes the :Zone.identifier flag from the executable. This is a Windows security zone flag that indicates the file has come from the internet; removing it takes away another potential malware identifier [1]. In order to ensure Locky is able to function in the event of a restart, it also configures the executable to autorun by adding a registry entry [4]. Note that these measures in no way render the malware indestructible. However, they do make the software harder to detect for general anti-virus. This is important, because once Locky is downloaded it takes 54 seconds to encrypt approximately 70Mb of text documents (for comparison, the average office document is 321kB)[7, 8].
Encryption
Next, the executable is run. Locky contacts the Command and Control server over an HTTP based protocol encrypted with a key hardcoded in the software. The API is rather minimalistic and includes basic functionality for getting keys, reporting stats, etc. The Command and Control server registers the infection and generates an RSA-2048 bit public and secret key pair [1]. The public key is sent to the infected system for use during the encryption process.
Once Locky has received the RSA public key, the file encryption process begins. Each file is encrypted with AES 128 bit ECB mode using the Windows Crypto API [4]. A new key is randomly generated for each file, which, along with the varying file types being encrypted, helps to minimize any disadvantages of using ECB mode. The encryption targets popular file-types, including doc, docx, pdf, jpeg, and many others [1]. All AES keys are then encrypted themselves with the RSA public key sent from the Command and Control server [4]. This way, the target cannot access the keys for use in decryption unless the Command and Control server has sent them the RSA secret key. This is where the ransomware trap falls into place and where paying the ransom becomes the only likely method of recovery.
Ransom/Decryption
When the encryption is complete, the malware compiles stats regarding the number of files encrypted and relays them to the Command and Control server [1]. At this point, a ransom is set and Locky manipulates the user’s desktop background to display instructions on how to pay the ransom and recover the locked files. From here, the user will pay bitcoin to an anonymous recipient for some specified amount. The anonymity of the attacker is maintained through the use of the Tor network [1]. The victim does not require the Tor browser to pay the ransom, however, because a URL is given that utilizes a Tor gateway (e.g. tor2web). Should the URL prove unreliable, the victim is instructed to download Tor instead.
Upon paying the ransom, the user is given access to download the Locky decryptor, which comes hardcoded with the RSA secret key required to decrypt the AES keys for each file [4]. Returning the files to their previous state with the Locky decryptor is a reliable and quick process (much like the encryption itself). As of the time this report was written, there are no known “Universal Decryptors” for Locky. Both the types of encryption as well as the encryption APIs are known and considered secure enough that such a development would prove unlikely.
Industry Response and Prevention Recommendations
While Locky in particular, and ransomware in general, represents a serious threat to organizations dealing in sensitive data as seen above with the attacks on hospitals, the response of industry as a whole has largely amounted to “don’t get infected”. The common suggestions include recommending the use of strong passwords, use of firewalls, use whitelists to filter email addresses, train users to recognize social engineering techniques, and storing data backups off network in order to have a recoverable copy [9,10]. Even the checklist provided by the United States Department of Health and Human Services for hospital IT departments to use is largely generic and includes the line “All staff members understand and agree to abide by network use policy.” [11]. A technical guidance paper from various United States Government agencies largely follows this same theme [12].
It is apparent that there is no straightforward solution to the issue. There appears to be two main contributing factors to this. The first being that it is likely easier to simply pay the ransom than spend the time and money to either break the encryption or recover clean backups. This is particularly true if the data encrypted is sensitive information for which recent backups may not exist but are necessary, such as patient data. Tying into this is the fact that, as discussed above, the typical ransom demanded is quite low. While the US Government cautions against paying the ransom [12], it is rare for the data to not be returned upon ransom payment.
The other factor is Microsoft’s continued promotion of macros within Microsoft Office. Perhaps in recognition of the fact that, by Microsoft’s own admission, almost all Office-related threats involve the use of macros [13], Microsoft added the ability to set Group Policies to prevent enabling macros as tagged as being from the internet in Office 2016, as well as the ability to block VBA code from being run in Office 2016 [14]. While these settings are useful if macros are not needed, it is more difficult for those environments which do need macros to automate repeated business tasks to take advantage. Various work environments take advantage of the ability to run arbitrary VB scripts using macros to automate tasks outside of Office while using Office to facilitate a user interface, such as generating and sending HL7 messages from an Excel spreadsheet. As a result, Microsoft ultimately chooses to prioritize user experience over security, something also apparent in their progressive simplification of MS Office alert messages regarding macros to eliminate explanations of the potential dangers in order to avert alert fatigue [15]. Thus, this leaves open a system vulnerability, as it is easier long term to use social engineering techniques to manipulate users than to attempt to find code vulnerabilities that can later be patched upon discovery.
Thus, the best route may be to prevent the messages from reaching the users altogether. Google, as the provider of the Gmail service, utilizes tools such as SMTP Strict Transport Security to encrypt transmissions, Sender Policy Framework to validate which servers should be sending emails for a given domain, Domain Keys Identified Mail to sign emails, and Domain-based Message Authentication, Reporting and Conformance to facilitate reporting. Taken together, these tools aid in preventing spoofing of messages and generally ensure that malicious emails can be prevented from reaching [16]. The US Government recommends the use of these tools as well for proactive protection [12]. In combination with deep learning artificial intelligence, Google was able to prevent a large scale attempt to send Locky messages through Gmail on May 5, 2016 [16].
Acknowledgements:
This work was done without any outside collaboration
Sources:
[1] Avast Blog. “A Closer look at the Locky software”. 10 March 2016.
https://blog.avast.com/a-closer-look-at-the-locky-ransomware
[2] Smart Data Collective. “Locky Ransomware Statistics: Geos Targeted, Amounts Paid, Spread Volumes and Much More…“. 16 May 2016.
[3] Los Angeles Times. “Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating”. 18 February 2016. http://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html
[4] MalwareBytes Labs. “Look into Locky Ransomware”. 1 March 2016.
https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/
[5] How to Geek. “Macros Explained: Why Microsoft Office Files Can Be Dangerous”. 11 September 2013.
https://www.howtogeek.com/171693/macros-explained-why-microsoft-office-files-can-be-dangerous/
[6] How to Geek. “What is svchost.exe and why is it running?”. 24 January 2015.
https://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/
[7] Barkly. “How Fast Does Ransomware Encrypt Files?”.
https://blog.barkly.com/how-fast-does-ransomware-encrypt-files
[8] Microsoft TechNet. “What is the Average Size of an Office Document”. 18 October 2012.
https://blogs.technet.microsoft.com/dangl/2012/10/18/what-is-the-average-size-of-an-office-document/
[9] Healthcare IT News. “Tips for protecting hospitals from ransomware as cyberattacks surge.” 6 April 2016. http://www.healthcareitnews.com/news/tips-protecting-hospitals-ransomware-cyber-attacks-surge
[10] Schumacher Clinical Partners. “10 Ways to Protect Your Hospital from Cyberattack”. 26 August 2016. http://www.schumacherclinical.com/health-care-insights/2016/8/10-ways-to-protect-your-hospital-from-cyber-attack
[11] United States Department of Health and Human Services. “Cybersecurity Checklist Series: Network Access Checklist.”
https://www.healthit.gov/sites/default/files/Network_Access_Checklist.pdf
[12] United States Department of Justice. “How to Protect Your Networks from Ransomware.”
https://www.justice.gov/criminal-ccips/file/872771/download
[13] Microsoft TechNet. “New feature in Office 2016 can block macros and help prevent infection”. 22 March 2016. https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/
[14] Microsoft TechNet. “Plan security settings for VBA macros in Office 2016”. 21 September 2015. https://technet.microsoft.com/en-us/library/ee857085(v=office.16).aspx
[15] Carnegie Mellon University Software Engineering Institute. “Who Needs to Exploit Vulnerabilities When You Have Macros?”. 8 June 2016.
[16] eweek. “How Google Secures Against Spam and Ransomware”. 17 February 2017. http://www.eweek.com/security/how-google-secures-gmail-against-spam-and-ransomware