Trojan Downloaders on the rise: Don’t let Locky or TeslaCrypt ruin your day

dencg-1-623x410

Weeks after it started attacking and encrypting victims’ files, Locky is still targeting many users. In order to provide more information about this threat, we have put together some information to help protect you in a better way.

Short summary

Win32/Filecoder.Locky.A is a ransomware variant that encrypts files with over 100 file types such as images, videos, databases, etc. on fixed, removable, and network drives. When executed, the ransomware copies itself into the following location: %temp%\­svchost.exe and adds a registry entry in order to be executed on every system start.

The attack vector is a regular email message with an attachment (previous variants were using Word or Excel attachments containing malicious macros). This attachment comes with a Trojan Downloader, usually from the Family detected by ESET as JS/TrojanDownloader.Nemucod, among other variants. Once opened, this file contains a JavaScript (.js) file and when it’s executed it downloads and executes the payload, Locky in this case.

Once opened, Nemucod executes a JavaScript (.js) file, which then downloads and executes its payload. In this case, Win32/Filecoder.Locky.A is launched and it searchers for for files in local and network drivers. It the encrypts them and then renames the file by changing its extension to ‘.locky’. After doing that, the Locky ransomware changes the system wallpaper so that the desktop background now contains the following text:

1

After this step, the user is requested to pay a ransom and the trojan removes itself from the computer. In addition, the malware collects information about the OS and system settings, as well as the list of the encrypted files; it then attempts to send these data to a remote machine, using the HTTP protocol.

As currently seen in ransomware variants, all the payment instructions are stored in a TOR link and the payment has to be made using bitcoins.

Current Campaigns

Since the end of February we have observed several propagation campaigns of ransomware – for example Locky and TeslaCrypt – being spread using the JS/TrojanDownloader.Nemucod malware. Those campaigns have achieved very high detection rates in ESET telemetry systems, such as LiveGrid®, with countries like Japan reaching almost 80%.

Those detection rates are calculated thanks to the users who are sending data automatically using the LiveGrid® System; it shows what percentage of the total amount of detected malware in our servers belongs to one variant.

If we take a look to the last week’s information, we can observe three big propagation campaigns since the end of February, the last one still being active at the time of writing (March 17th):

2

Which countries were more affected by these Trojan Downloaders propagation campaigns during last month? Japan leads the list, followed by other European countries such as Italy, UK and Ireland. We have to take in consideration that these detection rates changes every day and some countries like Germany and Spain also have very high detection rates:

3

Other regions such as North America, Australia, New Zealand and South Africa have also been affected and, since the email used to spread the ransomware is usually written in English, it makes sense that most of the mentioned areas are the ones where we find most of the detections.

It’s also interesting that the criminals are targeting most of the wealthiest countries, maybe expecting that the infected users will be more likely to pay in those countries.

How to protect yourself?

While protection methods that have been mentioned before in other ransomware campaigns applies perfectly to Locky, it’s not bad to review them and add some new ones:

  • Backup are essential. Face it, the last thing you would want is a nasty ransomware encrypting all your personal files and having to pay to recover them. It’s always a good idea to have a backup copy of your files stored in another external hard drive or even in a cloud storage system.

Just make sure that you only connect to this backup system when you are doing the copy of the files. If you don’t, you might find your backup files also encrypted, since most ransomware looks for external drives and even shared folders and cloud storage services mapped to your file system.

  • Make sure that your antivirus is up to date, and if it has an early warning system, make sure that it is activated. That’s the difference between having to wait hours for a virus signature that detects a new threat or just minutes.
  • Update your system and all the installed software. Exploits that take advantage of security holes in the system and applications are commonly used by malware creators. Don’t let the cybercriminals infect your system just because you forgot to install the most recent updates.
  • Secure your system. Besides keeping it updated, there are other methods that can help you to keep your system safe. Windows UAC is always a good start since you can configure it to require additional permission to execute an unknown file.
  • If you are in a business environment and you have Windows Active Directory, you can set group polices in a way that prevents ransomware from executing and starting to encrypt your files or to spread through your network. You can even prevent Office macros from being executed, so you will not have to worry about some employee opening a malicious Office document.

by Josep Albors, ESET


7 thoughts on “Trojan Downloaders on the rise: Don’t let Locky or TeslaCrypt ruin your day

  1. How do you prevent Locky from re-installing itself?

    I’ve had my pc encrypted with VeraCrypt for a long time and only recently started to notice the Locky files in the Windows Registry. So I immediately ran rkill first.

    I then did a clean power test and rebooted into Safe Mode, scanned the Registry for all occurrences of Locky and then deleted them. Then I updated all my security software, then disconnected from the internet so that I could run, my Security Suite as well as Rogue-killer, ERAR from ESET, AVZ4 from Kaspersky as well as Malwarebytes——-however none of these found the Locky files.

    After conducting all those scans, I opened Regedit and again found the same Locky files that were there before. I tried to delete them with Malwarebytes RegAssasin tool and BlitzBlank, however that proved unsuccessful—yet I was able to delete them normally every time I re-opened Regedit.

    Subsequent reboots still showed these Locky files in Regedit edit despite the fact that I deleted them several times even while in Safe Mode. To this day, the Locky files remain——-however, I have never been prompted by any ransom message and I’m just making an educated guess that maybe the reason for that is because my entire drive was already encrypted with VeraCrypt before this Locky bug made it onto my system. Logically that seems like a forgone conclusion,however these stupid Locky files continue to remain on my system despite all my efforts thus far to delete them.

    Any insight into this particular problem would be much appreciated. Thank you.

    1. Hi Zday,

      Is your entire HDD encrypted or just a specific partition? I would recommend scanning from outside the host operating system. ESET SysRescue Live is a bootable linux environment with ESET preinstalled. It’s particularly good at finding rootkits that may not show while scanning from within Windows.

      You can find it here http://support.eset.com/kb3509/?locale=en_US

      1. To answer your question, my entire HDD was encrypted. As far as scanning outside the OS, I eventually did so using Kaspersky Rescue Disk 10, but after updating it and running the object scan (after using the built-in WinUnlocker tool first of course), nothing was found. Then after rebooting back into Windows—sure enough, these pesky Locky entries were back in my registry again. The funny thing is the other entries associated with Locky (the ones that don’t have “Locky” in the name of the key), kept changing their folder name after each time I deleted them and rebooted.

        I even implemented a secure wipe using DBAN, then after attempting to re-install Windows, the Locky entries returned, even after I used DISKPART to clean the MBR. I then unlocked and deleted the keys again while in Safe Mode before giving it another secure wipe using DBAN. This time I made use of some additional tools on my copy of Hiren’s BootCD. Bootfix, MBR tools nor any other Hardware Tools seemed to help.

        Anyway, I finally got fed up with the fact that I’ve already spent a ridiculous amount of time trying to root out this filecoder, and simply decided to use one of the other hard-drives I have.

        I had backups of my files so I’m not worrying about recovering anything from the original HDD, but I can say that this is a nasty ransomware bug that really needs to be the focus of greater attention by the security industry at large. This thing is no joke.

    2. Hi Zday,

      Thanks for the reply. Would it be possible to get some logs from you? I’d like to raise this issue with our lab as I’ve personally not experienced such a variant before. If you’re open to the idea of sending us logs and samples you can reach me via support@eset.ie

      -Ciarán.

  2. I will do as you requested. Please check for my response to ESET support at the address you previously mentioned. Thank you Ciaran.

  3. Dear Mr. McHale,

    I must apologize for not responding back sooner. I’ve actually been extremely busy at work the past several weeks and even when I had some free time in between, I also had some other important obligations to tend to as well.

    I’m not sure if I ever mentioned this before, but at the same time I initiated contact with you (initially on the ESET page with the associated article on ‘Locky’ and ‘TeslaCrypt’), I was also seeking some additional assistance from the folks over at [ Sysnative.com ], and, after much troubleshooting and thoroughly examining logs and checking multiple resources, the ‘Sysnative’ team was able to help me solve the issue and we found out that I did not have a ransomware infection at all——-but that it was the “Bitdefender Anti-Ransomware Tool” which I’d already installed onto my system prior to noticing the Locky files——-which was the actual cause of the Locky entries showing up in my registry.

    On of the techs from Sysnative found this information from a blog-post on the Bitdefender Labs website and in spite of this good news, for extra measure, I actually contacted Bitdefender directly and through email correspondence with them, the Bitdefender tech I spoke to confirmed that their [ BDAR ] tool does in fact create these types of keys in the Windows registry in order to fool the real Locky virus, because the way in which the real Locky virus currently works is that if it detects that Locky is already installed (hence the spoofed Locky keys created by the Bitdefender Anti-Ransomware tool, it will not install onto the system and instead will move on to its next target.

    This scenario was further corroborated after I chose to uninstall BDAR, and subsequently ran another registry scan with “RegEdit” and “CCleaner” —both of which came back clean and no longer showed the Locky entries in my Windows registry.

    Suffice to say, initially, the discovery of the Locky entries gave me quite a scare, however, I glad to know that it wasn’t the real Locky virus after all and I’m also glad that I still had such a “knee-jerk” reaction to those discoveries——-God forbid it was the real thing, I’m glad I noticed it when I did.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s