By the Numbers
Since .ODIN came to our attention, G DATA has been monitoring its activity in the wild. Based on the statistical data that we have gathered, .ODIN was very rampant in European region especially in countries like Germany and Netherlands mostly targeting business-to-business (B2B) companies.
Within G DATA’s customer base, the proliferation of .ODIN detections happened a few weeks after its reported release in the wild. The rate of novel infection attempts was decreased after the release of the next two Locky variants.
The Two Copycats
Locky was on a rampage again by releasing two more consecutive variants last October. An unpleasant .SH*T variant was deployed around third week of last month followed by .THOR variant few days after. There were no notable feature differences found among the last three variants except for the obviously new file extension.
The way the recent Locky variants work has not changed, yet. Its distribution method still relies mostly through Nuclear Exploit Kit which uses compromised websites; and the technique on infecting their victims and dropping of payloads remain the same. However, there are recent indications regarding a high possibility of Locky adapting to a different distribution and execution technology.
Recently, a new Dridex campaign was seen utilizing an established and effective method of using PowerShell command by exploiting the known LNK vulnerability. Locky is now expected to move away momentarily from using malicious script attachments in its spam campaign to evade detection. According to Microsoft’s recent technical blog, “the Locky ransomware writers, possibly upon seeing that some emails are being proactively blocked”, could have prompted the change in tactic. Few cases were seen tied to .ODIN but none so far for the latest Locky variants.
New Locky variants are executed the same way as .ODIN. They both use legitimate Windows program RUNDLL32.EXE using the following command line:
Rundll32.exe %TEMP%\[dll_name].dll,<pre-defined text argument>
Notice the shift of using a more flexible argument string that is usually pre-defined within Locky’s script component. It should be noted that the infection routine will not pursue without specifying the required command argument.
Both Locky variants follows the .ODIN’s naming format for the encrypted files:
It also drops ransom notes on every affected location to inform the user about the infection.
After its encryption routine, it executes the following command line to delete the system’s Shadow Volume Copies so it will be impossible for the affected user to recover their encrypted personal files:
VSSADMIN.EXE Delete Shadows /Quiet /All
To complete the infection, both variants communicate to its CnC servers by accessing the following server file:
It was seen connecting on the following IP addresses
Information about these IP addresses reveals concentration of its server locations:
IP Address: 18.104.22.168
ASN: AS35415 WEBZILLA, NL (registered Aug 03, 2005)
IP Location: Russian Federation Moscow Mchost.ru
IP Address: 22.214.171.124
IP Location: Ukraine Lenina Pp Sks-lugan
ASN: Ukraine AS35804 ALNET-AS, UA (registered Oct 31, 2005)
IP Address: 126.96.36.199
IP Location: Russian Federation Anzhero-sudzhensk Mediaserviceplus Ltd.
ASN: Russian Federation AS43146 AGAVA3, RU (registered Jun 14, 2007)
IP Address: 188.8.131.52
IP Location: France Roubaix Webhost Llc Dmitrii Podelko
ASN: France AS16276 OVH, FR (registered Feb 15, 2001)
IP Address: 184.108.40.206
IP Location: Russian Federation Dmitrov Internet Hosting Ltd
ASN: Russian Federation AS42632 MNOGOBYTE-AS Moscow, Russia, RU (registered Mar 23, 2007)
IP Address: 220.127.116.11
IP Location: Ukraine Kiev Hostpro Ltd.
ASN: Ukraine AS196645 HOSTPRO-AS, UA (registered Jul 29, 2009)
.ODIN continuously hitting the European region since it was released. Statistics show countries like Germany and Netherlands had been the most affected. Few weeks after its released, Locky strikes again with two of its copycats: .SH*T and .THOR. They now join the ranks of other Locky variants that cause damages to millions of users around the world. Though there seem no stark differences from .ODIN, Locky is starting to adopt another malware technology to strengthen its defenses against AV detections.
There is still no available solution to reverse the encryption without paying the ransom. However, it is still highly recommended to recover the files from backup or if lucky, from Shadow Volume Copies if it is still existing in the system.
UPDATE: .AESIR is the new Locky extension (11/22/2016)
Another Locky variant was released yesterday: .AESIR. It is yet another Locky iteration that uses the names from Norse mythology: .THOR, .LOCKY and .ODIN. Similar to its predecessors, it is being distributed via Nuclear Exploit Kit. It arrives as spam containing heavily obfuscated script file attachment. Once executed, it connects to a compromised website to download the obfuscated Locky DLL binary. The new variant widens its infection coverage by encrypting more than 450 extension names. This a little upgrade from .ODIN’s 400 supported extensions.
New extensions .AESIR attacks
Encrypted files were renamed with a similar format:
It drops ransom notes on every affected location to inform the user about the infection:
Locky Script Downloaders:
.AESIR DLL binaries:
Complete list of extensions attacked by .AESIR
UPDATE: Yet another new Locky extension: .zzzzz (11/24/2016)
The newest Locky extension is now .zzzzz
JS Downloader for .zzzzz Locky: