Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

 Locky goes offline (by design)

views
     
TSperfectgrowwell
post Aug 4 2016, 09:28 PM, updated 7y ago

Getting Started
**
Junior Member
178 posts

Joined: Nov 2015
From: Muar
New Locky variant can encrypt files without directions from the ransomware’s CnC. That makes it tougher to block. But, this new variant may have the weakness that once someone has paid the ransom for their private key ID – it should be possible to reuse the same key for other victims with the same public key.user posted image
Locky ransomware now has a new offline mode that kicks in when all connections to the normal command & control centers fail.

The new variant – spotted July 12 – has a lot in common with teenagers that continue playing with their smartphones after a parent unplugs the WiFi router: Even though it looks like they have been disconnected, a workaround is discovered and the game goes on.

“Previously, a system administrator could block all CnC connections and keep Locky from encrypting any files on the system. Those days are over now,” said Moritz Kroll, malware specialist at Avira. “Locky has now reduced the chances for potential victims to avert an encryption disaster.”

When the new variant starts to work, the clock is running – and quickly. Locky runs through a set communication process where it first tries all CnCs from the configuration, then all CnCs from the DGA (12 per day). If that fails, it tries it again once with all CnCs, then it tries one CnC from the config again. If those all fail, it goes into offline encryption mode.

From initial Locky infection to starting offline encryption mode now takes between 1 and two minutes.

“While going through the CnCs, it made 3 delays for me, each lasting between 10-20 seconds. It’s not great for the admins trying to see the requests,” he said. “Although Locky is still trying to make connections and these can be observed, it will encrypt the files if this fails. So if an administrator notices such connections, there’s very little time left to shut down the computer before the data is damaged.”

Keys are different for offline victims
The new Locky has a different regime for generating ID numbers for its online and offline victims. In offline mode, the Locky cannot directly register a victim ID with the server and get a victim specific public key as is the usual practice. For those cases, it uses a public key which is part of the configuration and generates a special victim ID for the payment page.
user posted image
The public key for the new Locky is shared by all “offline victims” infected with samples that use the same configuration. This public key has an ID, so the server can eventually distinguish between public keys from different Locky configurations.

To be able to differentiate between the various offline victims and check whether they have already paid, Locky also generates a special victim ID which appears in the ransom note text.

The special victim ID is generated from:

the first 6 hex digits of the normal victim ID which is based on a GUID from a harddisk partition
the user default UI language
the operating system version and type (server/non-server)
whether it’s part of a domain controller (if so, the victim is probably part of a corporation, so the ransom demand can increase)
the affiliate ID from the configuration (usually identifying which “channel” the malware was spread through)
the public key ID from the configuration

Differentiating between the online and offline victims
To differentiate between normal victim IDs and special victim IDs, the new Locky uses a different encoding for the special victim IDs using a 32 character alphabet “YBNDRFG8EJKMCPQX0T1UWISZA345H769” to encode the ID instead of hex-digits “0123456789ABCDEF”. Based on this special victim ID, the Locky server can then extract thepublic key ID to deliver the correct private key to the victim.
user posted image

Discounted ransom for discerning victims
As this private key will be shared with all other offline victims of the same Locky configuration, it creates several discounting potentials for victims. “Theoretically, if a company with a domain controller is hit by the new Locky and sees a non-hexdigit ID like “BSYA47W0NGXSWFJ9”, it might be cheaper to generate a victim ID with the same public key ID but without saying it’s a corporate computer,” Kroll pointed out. “The private key contained in the decrypter for the non-corporate public key ‘should’ also work for the corporate computer – and for all other victims with the same public key. Of course, it is better to take precautions, have a data backup policy, and not be hit at all.”

source:https://blog.avira.com/locky-goes-offline/

squirrel27
post Nov 22 2016, 08:17 PM

New Member
*
Newbie
2 posts

Joined: Nov 2016
Hi, there is one more nuance: Locky is transformed, he was Petya, Cerber, Odin, Shit, Thor, and here he is AESIR. vmad.gif All this I learned on this site http://soft2secure.com/knowledgebase/aesir-file-virus ))))

This post has been edited by squirrel27: Nov 22 2016, 08:17 PM
blastmeister
post Jan 10 2017, 02:46 PM

Getting Started
**
Junior Member
102 posts

Joined: Jun 2006


All effective virus and trojan will evolve because antivirus will catch up with their threat. Hence, you will need a better detection that can even detect evolved trojan, virus or even encrypters. But their payload process are quite similar. This is where Dr.Web ave Origin Tracing and Heuristic Analyzer to do the magic.

Which ever way it evolved, the virus will have similar payload. Origin Tracing will detect how those virus behave and how the payload works, compare to the database of virus with similar payload and voila! it kills it before it ready to drop the payload
CowGerdYY
post Apr 8 2017, 06:56 PM

New Member
*
Newbie
3 posts

Joined: Apr 2017


It is a pity that the makers of antivirus software may not work ahead. My friend recently had problems with Cerber ransomware ((((
CowGerdYY
post Apr 8 2017, 06:59 PM

New Member
*
Newbie
3 posts

Joined: Apr 2017


He did not pay the ransom, but he had to reinstall the system on your computer. Lost all pictures and text files (((
TSperfectgrowwell
post Apr 8 2017, 08:02 PM

Getting Started
**
Junior Member
178 posts

Joined: Nov 2015
From: Muar
QUOTE(CowGerdYY @ Apr 8 2017, 06:59 PM)
He did not pay the ransom, but he had to reinstall the system on your computer. Lost all pictures and text files (((
*
Always backup data and update security software.


 

Change to:
| Lo-Fi Version
0.0147sec    0.33    5 queries    GZIP Disabled
Time is now: 28th March 2024 - 10:53 PM