Dear Locky: You have shown that signature-based detection is fundamentally impossible, but we still caught you!
By: Carolyn Crandall CMO
The Dridex Locky ransomware strain by design isn’t any more sophisticated than its fellow ransomware Cryptowall, TeslaCrypt and others. However, it is said to be backed by the Russian Dridex criminal group, a known leader in banking malware and it has quickly built its reputation by the speed in which it is infecting systems across the globe. Forbes states this is approximately 90,000 systems per day, all of which users are being hit up for an average of $400+ to unlock their systems.
Locky operates through the use of phishing emails, which contain Microsoft Word attachments. Each binary is crafted uniquely to evade signature based detections.
This blog post will cover how Locky works and why you need deception technology to avoid becoming their next victim. Also, if you think for a minute you are immune, you may be kidding yourself. Ask the Hollywood hospital or the list of others that have been hit by the ransomware plague of 2016. Think since you are on a Mac that you are safe… think again. Locky has been called the first “official” ransomware strain for Macs.
Given customer interest and demand, the Attivo Networks Threat Detection Lab played out the Locky malware to see if we could detect it and to see what attack forensic data would look like. Here are our findings
- File SHA1: E25418FB175EEDA2D30E8A8B981753BD8844F9B7
- File Type: PE32
- Malware Category: Ransomware
A sample of Locky was uploaded, using the BOTsink manager interface. into the BOTsink Malware Analysis Engine for investigation.
The BOTsink malware analsys engine allows for the submission of a binary file for detection of zero-day, near zero-day and known malware. The BOTsink engine executes the uploaded binary file within its sandbox for analysis and raises alerts based on the observed behavior.
The findings included
- Lateral movement
- C&C communications
- Locky was deceived, with deception lures, into engaging with Attivo Deception platform (it took the bait)
Post completion of the analysis, it was observed that the sample would encrypt files on the local machine and leave a ransom note.
Image 1: Screen shot of a folder with encrypted files
Image 2: Screen shot of the ransom note post-encryption
Once engaged with the BOTsink deception platform, it was observed that sample tried to talk to C&C servers and attempted to access file shares on different machines on the same subnet.
An additional test sample demonstrated Locky malware taking the bait and engaging with the Attivo endpoint deception lures. The malware used some of the deceptive credentials for moving laterally to other systems on the network. These lures are designed to immediately lead the attack to the Attivo BOTsink engagement servers. It is critical to not only have detection decoys for reconnaissance or scanning, but to also have the ability to lure the attacker to the engagement server and away from production systems for early detection. Once the ransomware has established its foothold, it will move exceptionally fast and SOC teams need to have the early insight as they mount their attack plus the ability quickly identify the infected systems in order to quarantine the infected endpoint or network segment from further contaminating other devices.
Sample’s Static Analysis
A deeper static investigation of sample’s disassembly matches well with the observations seen by BOTsink analysis engine. Locky employs an AES encryption algorithm, generating the random encryption key for each file that it encrypts on the targeted drives. The encryption capability of the Locky ransomware is apparent as it uses Microsoft Crypto APIs.
Summarizing the activities of this malware, it has the capability to enumerate the network resources using WNetOpenEnum and WNetEnumResourceAPI. It then subsequently calls WNetAddConnection2 API to map the local device to the discovered network resource. The binary code below reveals this functionality.
Next, Locky enumerates all the devices calling GetLogicalDrives and then identifies the drive type to infect. Locky malware targets following drive type to encrypt the files:
- Removable drives (USB, Flash Card Reader, Floppy drive)
- Fixed drives (Hard disk)
- Remote drives (Network shares)
- Ram Disk
Below, is an example of the code snippet from the malware binary analyzed, revealing this operation.
After encryption, Locky renames all the files with the extension .locky and eventually drops the recovery instructions on the infected machine.
Why Organizations are Turning to Deception to Protect Against Ransomware
There are 3 fundamental reasons why organizations are deploying deception to detect and protect against ransomware.
- Signature-less: Deception does not rely on known signatures or attack patterns to detect inside-the-network threats. Deception instead uses a blend of deception lures, decoys, and engagement servers to deceive an attacker into engaging. Once the attacker touches a deception system, there is no turning back. We immediately have their information and through our analysis engine can immediately create the signatures for prevention systems to block, quarantine, and remediate against the attack.
- Lateral Movement Detection: Many variants of today’s malware use sleeper or time-triggered tactics to evade detection and sandbox technology. This can make it very difficult to understand the magnitude of an alert plus sandbox technology is not designed for long-term analysis. A cleverly timed attack plan can easily work around a sandbox’s limitations. Deception is different since it is designed to detect and analyze lateral movement inside-the-network. Whether the attack is directly detected through decoys or deception lures or the SOC team feeds information into the system for non-time bound analysis, the BOTsink platform provides efficient and prompt detection of threats before they have the time to mount their attacks.
- Efficiency of Incident Response: A customer recently shared a story of a malware infection that was identified by their team. This malware had bypassed their anti-virus systems and every time they thought they had the attack contained it resurfaced in a different place. In parallel, an incident response team was brought in and the Attivo deception platform was activated. Long story short, before the incident response team had landed from their flight in, the Attivo BOTsink had created full forensic analysis of the attack and with this information had empowered the SOC team to be able to limit the infections to around 60 systems and to put the blocking and quarantining in place to protect from the various mutations of this malware. During the BOTsink attack analysis, the malware morphed multiple times and had multiple C&C addresses, which they had not been able to discover with their sandbox or other detection methods.
Being the victim of ransomware would be a horrific experience for anyone. Though with deception, you give your organization a fighting chance to stop the attack before mass damages can be done.
Ready to learn more about how deception could work in your environment? Let’s chat.