A thorough analysis of the ransomware Locky by Kaspersky Lab has yielded a series of highly detailed insights on the pernicious software, according to the company's Securelist blog post.
According to the 6 April post, Kaspersky has so far detected and reported Locky infection attempts in 114 different countries, with the heaviest concentration of attacks in Germany (3,989 attacks) and France (2,372 attacks). Kuwait (976) has been the third most commonly targeted country, while the US is seventh (188). (These figures do not even include early-stage detections, where malicious spam or downloaders were discovered and successfully eliminated before Locky could be transmitted.)
“What really caught our attention was the massive spamming campaign which distributes Locky in more than 100 countries all over the world at once,” said Kaspersky researcher and blog author Fedor Sinitsyn, in an email interview with SCMagazine.com. “It turns out the most unique and probably dangerous feature of Locky is not within the code of this malware, but rather in its aggressive propagation.”
“Maybe it's because modern versions of MS Office don't have macros enabled by default, and the criminals thought that not enough potential victims are getting infected because of it,” Sinitsyn told SCMagazine.com. “With malicious JS-downloaders, the victim doesn't need to enable anything. [They just need to] double-click on the script inside an archive, so the criminals behind Locky might have thought this propagation technique would increase the infection rate.”
When opened, the 100kb malware file, which was developed in Microsoft Visual Studio, copies itself into an infected machine's directory and eliminates the usual notification that warns users against downloading unknown files from the internet. The malware then connects and communicates with a command and control centre, before encrypting the affected machine's files and delivering a ransom demand.
According to the post, the Trojan's code contains between one and three C&C IP addresses. But it also features an algorithm that generates six new C&C addresses per day.
Meanwhile, the ransom message contains a series of links that lead to the same Tor network website.
Sinitsyn noted that Russian and other Cyrillic-script languages are among the supported languages listed in the ransom page's source code. “For some reason the cyber-criminals are not that keen on targeting users in countries where those languages are spoken,” wrote the researcher in his blog. Cyber-security experts often say such behaviour is a clue that the attackers themselves are likely based in this language-speaking region.