As shown in Figure 1, Locky spam activity was uninterrupted until June 1, 2016, when it stopped for nearly three weeks. During this period, Locky was the most dominant ransomware distributed in spam email. Now, Locky distribution has returned to the level seen during the first half of 2016.
Figure 1. Locky spam activity in 2016
Figure 2 shows that the majority of Locky spam email detections between June 21 and June 23 of this year were recorded in Japan, the United States and South Korea.
Figure 2. Locky spam by country from June 21 to June 23 of this year
Figure 3. Locky spam email
- Iterates over an array of URLs hosting the Locky payload.
- Uses a custom XOR-based decryption routine to decrypt the Locky payload.
- Ensures the decrypted binary is of a predefined size. In Figure 4 below, the size of the decrypted binary had to be greater than 143,360 bytes and smaller than 153,660 bytes to be executed.
5. Checks (Figure 5) that the first two bytes of the binary contain the “MZ” header signature.
Figure 5: MZ header check
6. Executes the decrypted payload by passing it the command line parameter, “123”.
Locky Payload Updates
Figure 6. Command line parameter check
Figure 7. Decryption routine
If no command line parameter is passed, then the constant for the decryption routine is incorrect. This results in program crash as the decrypted code is invalid. In Figure 8 and Figure 9, we can see the decrypted code sections with and without the command line parameter, respectively.
Figure 8. Correct decrypted code
Figure 9. Incorrect decrypted code
By using this technique, Locky authors have created a dependency on the first stage downloader for the second stage to be executed properly. If a second stage payload such as this is directly analyzed, it will result in a crash.
As of today, the Locky spam campaign is still ongoing, with an added anti-analysis / sandbox evasion technique. We expect to see additional Locky spam campaigns and will remain vigilant in order to protect our customers.