Analysis of new versions of Locky ransomware

PUBLISHED ON MAR 28, 2016 — MALWARE, SECURITY

I don’t know if you know but a researcher of the french cybersecurity company Lexsi named Sylvain Sarméjeanne made some research on the Locky that is probably the most widespread ransomware.

He found some bugs we can use to build a vaccine against this malware. All of these bugs are based on the registry key created by Locky when he is executed on the computer. This key was HKCU\Software\Locky.

He also found, among other, that when you create this key before Locky with read-only rights, Locky will stop his execution.

After reading this, I wrote a little program named LockyVaccine that create this registry key just by clicking on the executable. Easier for the majority of Windows users than opening regedit to add this key.

The problem

There’s a lot of money in game. More and more of ransomwares are spread and, victims often pay the ransom.

Vaccines proposed by Lexsi work very well with old versions of Locky but, now, malware’s writers created new versions of the ransomware that don’t use this registry key.

Analysis new versions

So, what could we do against that ? Checking what they do and how …

To analyze new versions of Locky, I opened my favorite malware database and I downloaded all malwares tagged as Locky.

I found something interesting, all tested versions use the same registry key on my testing machine (windows XP Pro SP1) : nljkAgC2.

To be sure that is a hardcoded name, I built another virtual machine with an other configuration of Windows XP. If the malware write the same key then, we could think that the key name is not dynamic.

And it failed ! A new key name appears : Tksg9cpHajgzp.

So, it means that the key name is dynamically created for each computer. It’s a half-bad-news. Half-bad because it means that we can reverse the algorithm to find how the key name is generated.

Locky still stops when it can’t write his informations in this registry key. It’s a very good news !

It’s time for reverse engineering, so I will try to analyze Locky to understand how the registry key generation works. I will write another post to explain what I found.

UPDATE :

Sylvain Sarméjeanne, analysed the new version of Locky and wrote a post. He explains how to create a vaccine against this version.