After WannaCry, Mamba and Locky ransomware return to India

September 4, 2017 4:40 am Published by Leave your thoughts

Mamba ransomware attack is known to be the nastiest malware of all, as instead of affecting files, it takes over the entire hard disk.

What is Mamba ransomware?

Mamba ransomware is believed to be the worst of all malware as it encrypts hard drives, instead of just files. It scrambles every sector on the hard drive, including the Master File Table (where information about every file, and directory on a hard drive is stored), the operating system, shared files, and personal data. The malware installs, and activates a copy of the open source software DiskCryptor. DiskCryptor is a Full Disk Encryption (FDE) tool. Once DiskCryptor encrypts a disk, it asks for a password every time a machine reboots. This password is then used to encrypt everything you may write on the HDD, and decrypt anything that you want to read.

What is Locky ransomware?

The Locky ransomware, on the other hand, has been one of the largest distributed ransomware, and it works by tricking victims into downloading an attachment. The attachment composes of scrambled, unreadable text with a title asking a user to enable macros (for Microsoft Word). When the victim does so, Locky gets executed and renames all the important files so that they have the extension .locky after encryption. Users can use their system for internet browsing, and other general stuff, but all their important files are rendered inaccessible. Locky demands a ransom amount of 0.25-1 Bitcoin, whereas, Mamba doesn’t have a fixed ransom.

More about Locky

Locky is ransomware distributed via malicious .doc files attached to spam email messages. Each word document contains scrambled text, which appear to be macros. When users enable macro settings in the Word program, an executable file (the ransomware) is downloaded. Various files are then encrypted. Note that Locky changes all file names to a unique 16-letter and digit combination with .diablo6, .aesir, .shit, .thor, .locky,.zepto or .odin file extension. Thus, it becomes virtually impossible to identify the original files. All are encrypted using the RSA-2048 and AES-1024 algorithms and, therefore, a private key (stored on remote servers controlled by cyber criminals) is required for decryption. To decrypt the files, victims must pay a ransom.

After the files are encrypted, Locky creates an additional .txt and _HELP_instructions.html (or _WHAT_is.html) file in each folder containing the encrypted files. Furthermore, this ransomware changes the desktop wallpaper. Both text files and wallpaper contain the same message that informs users of the encryption. It states that files can only be decrypted using a decrypter developed by cyber criminals and costing .5 BitCoin (at time of research, .5 BTC was equivalent to $207.63). To proceed, the victim must install the Tor browser and follow a link provided in the text files/wallpaper. The website contains step-by-step payment instructions. Locky deletes all file shadow volume copies. Currently, there are no tools capable of decrypting files affected by Locky – the only solution to this problem is to restore your files from a backup.

There are hundreds of ransomware-type malware infections similar or identical to Locky including, for instance, Cryptowall, JobCrypter, UmbreCrypt, TeslaCrypt, and DMA-Locker. All have identical behavior – they encrypt files and demand a ransom. The only difference is the size of ransom and type of algorithm used to encrypt the files. Research also shows that there is no guarantee that your files will ever be decrypted even after paying the ransom. By paying, you simply support cyber criminals’ malicious businesses. Therefore, you should never pay the ransom or attempt to contact them. Be aware also that malware such as Locky is usually distributed via fake software updates, P2P networks, malicious email attachments, and trojans. Therefore, it is very important to keep your installed software up-to-date and to double check what you are downloading. Be cautious when opening email attachments sent from suspicious addresses and use a legitimate anti-spyware or anti-virus suite.

Locky virus is perceived as one of the most destructive ransomware-type viruses which take over the system and initiate data encryption on it. The initial extension the virus used for the encrypted files was .locky, but as the threat evolved, new extensions such as .diablo6, .osiris, .odin, .thor, .zepto, .shit, .aesir and .loptr emerged. Diablo6 ransomware and Lukitus ransomware are the latest file extension used by Locky ransomware.

In most of the cases, the victims download the ransomware to their computers themselves as a regular email attachment, typically, a .doc file carrying an embedded script which gets executed if the Word Macros is enabled. Then, the AES and RSA encryption algorithms come to play, followed by the addition of specific file extensions to the infected files.

The file which provides data recovery instructions is called _Locky_recover_instructions.txt. It is saved on computer’s desktop and opened each time he or she tries to open any of encrypted files.

While Locky was the biggest threat of 2016, experts are doubtful the virus will ever come close to its initial success. Nevertheless, this does not stop the ransomware creators from trying. In June, virus researchers have detected a new variant of Locky spreading via a malicious spam campaign hosted by the Necurs botnet.

Unlike its predecessor, the malware currently infiltrates the machines running outdated and unsupported Windows versions such as Windows Vista or XP. Later variants are protected by Data Execution Prevention (DEP) which block the malware unpacker automatically [1].

The variants of the infection spread their malicious executable locky.exe via email, attached as a zip file labeled with random digits. Locky does not touch tmp, AppData, Program Files, Windows and a fews others folders, but encrypts the rest of the PC files with RSA-2048 and AES-128 ciphers. Eventually, the virus marks encrypted documents with .loptr extensions and drops a document called loptr-[random_4_chars].htm to list out the data recovery conditions.

Locky has hit the web in the beginning of 2016[2] and has been continuously rotating its distribution techniques and functionality used to extort people’s money ever since. This volatility and unpredictability led Locky to become the first ransomware that made it to the top three on the most dangerous malware list.

Together with Conficker and Sality viruses, Locky hides behind 50 percent of all recognized malicious cyber attacks[3]. It is not hard to notice the fact that your device has been targeted by this parasite. The already mentioned file extensions .locky, .zepto, .odin, .shit, .osiris, .diablo6 and .lukitus file extensions give it away. If you happen to can see any of these extensions added to your scrambled files (see the picture below), you need to remove Locky virus first. Otherwise, it can try to continue its encryption on your computer. Besides, it can affect files that are in your network and similar locations.

For the removal of this ransomware and its files (Shit version drops _WHAT_is.html, _[random numbers]_WHAT_is.html, and _WHAT_is.bmp. files), use Reimage or Plumbytes Anti-Malware. However, we must warn you that these programs cannot decrypt your encrypted files. Virus researchers are just in the middle of trying to find the “vaccine” for this version of ransomware. However, to recover the “locky datei” you can use Data Recovery tips created by 2-spyware.com researchers.

Answers on Locky Questions:

Question: Can I decrypt my files after the infiltration of Locky virus?

Answer: Unfortunately, but there is no Locky decrypter invented yet. If you can’t remember backing up your data, which is the only process capable of helping people to prevent the loss of your files, you can try this software: PhotorecKaspersky virus-fighting utilities or R-Studio. However, there is no guarantee that these programs will help you to get your files back to you. Also, you should not forget the security of your computer. You must remove Locky virus from the system ASAP. For that, we recommend installing Reimage.

Question: I have just received an email message saying “Please see the attached invoice”. Also, it has the “ATTN: Invoice J-98223146” document added to it. Unfortunately, I have already downloaded it, and now my files are blocked! Why?

Answer: Unfortunately, you were infected with .Locky virus. This is a seriously dangerous virus, which requires a special payment for giving people an opportunity to decrypt their files. To fix your computer and remove malicious files, please check the step-by-step guide given down below.

Question: How could I remove Locky virus? Will this help me recover my files that are blocked by this ransomware?

Answer: Unfortunately, but the easiest way to “unlock” your files is to enter the key, which is held by Locky developers. This key cannot be guessed or stolen, so the only option you have while trying to get it is to pay the ransom for its developers. However, you could try to recover your files with the help of their backups.

Check your CDs, external drives, Dropbox and similar online solutions for them. To remove Locky virus from your computer, you should install a reliable anti-spyware and check your computer for malicious files with its help.

More queries, any network audits for Ransomware preventive measures, do connect us at infosec@primeinfoserv.com

Tags: , ,

Categorised in:

This post was written by Sudipta Biswas

Leave a Reply

Your email address will not be published. Required fields are marked *