Locky

Screenshot of the German version of Locky's "ransom note"

Locky is malware for Windows and Mac OS . It came into circulation in February 2016 in various countries around the world - especially in Germany. It is an encryption trojan ( ransomware ) that encrypts files on infected computers. The blackmailers then try to get a “ransom” from the users of the infected PCs for decryption. Since Locky "only" encrypts user data, it does not need extensive rights on the infected computer system and can therefore operate successfully on platforms that have not been at risk until now.

functionality

The Locky Trojan encrypts all files on infected PCs. After encryption, the files have the extension .locky , which is what gave the Trojan its name. A message on the screen informs the PC user that the encryption has been carried out with an RSA encryption key according to the AES standard. In addition, the " ransom note " names several Internet addresses (links) of websites and, alternatively, a Tor network access , from which one learns that a software called Locky Decryptor can be used for a payment of 0.5 Bitcoin (then around 200 euros) to decrypt the files. Experts believe that such a “ransom payment” does not guarantee decryption by the extortionist.

Since June 28, 2016 there is another ransomware from Locky under the name Zepto, which also names its file extensions the same.

distribution

The Trojan initially spread through Microsoft Office documents attached to emails that were sent in the form of invoices. After opening the attached invoice you were invited to a document contained in the macro execute code to see the bill. In Germany, the malware spread quickly within a few days in February 2016 - the press reported that around 17,000 computers were infected in one day. Windows PCs from the Fraunhofer Center for High-Temperature Lightweight Construction (HTL) in Bayreuth were among those infected .

On February 22nd, 2016 it was reported that the encryption Trojan was also sent as a packed JavaScript file attached to emails. The pretended sender is a well-known German manufacturer of meat products. The malicious file is disguised as a company invoice and, if it is executed on the victim's PCs by the Windows Script Host interpreter , it reloads malicious code from a specific URL .

On February 24, 2016, another method of spreading Locky became known: through e-mails that appear to have been sent from a scanner with a mail function; H. the allegedly scanned documents are attached. For the sender address, the domain of the recipient address is used according to the pattern scanner@ same.domain . The subject can be "Scanned image".

On February 26, 2016, a new distribution mechanism using batch files was reported.

Since March 2, 2016 at the latest, Locky has been distributed by means of a forged e-mail from the Federal Criminal Police Office . The email has an alleged BKA analysis tool called BKA Locky Removal Kit.exe as an attachment . The method, which became known on February 24th, is now often to be found with the subject Whitehouse paperwork .

On June 21, 2016, after a break of a few weeks, fake e-mails were sent again for the first time, indicating either an application or a reminder as the subject. The e-mails contain a zip file as an attachment, which not only works with macros in Word documents, but also executes its routine via the Windows Script Host . The new version can now also recognize the virtualization by an anti-virus program and must be loaded with the arguments 123.

Behavior after the infestation and data recovery

The German Federal Office for Information Security (BSI) advised in February 2016 not to go into the extortion and not to make a payment, because the files or programs are often not decrypted despite payment of such extortions. It is different in the USA: Allegedly, the FBI advises you to pay because there is no other way to save the hijacked data.

However, you can keep the encrypted files, as procedures often become known after a while which can crack the encryption of a blackmail trojan. According to the BSI, affected users should "take a picture of the screen including the blackmail message and report it to the police". Then only a complete Neuaufsetzen usually helps the computer (for the restoration of a "clean" operating system ) followed by loading a data backup , one provided on such as on a at the time of infestation separate hard drive or not connected to the computer USB Stick features.

Web links

Martin Holland, Ronald Eikenberg: Locky crypto-Trojan: What to do against the Windows malware . In: heise Security from February 19, 2016
Crypto Trojans: Backups protect against data loss - press release by the Federal Office for Information Security (BSI) from February 22, 2016
Blackmail with a Word file - how the Locky Trojan works (06:03 min). Contribution to the program Quarks & Co on March 15, 2016

Individual evidence

↑ Jörg Breithut: "Locky" Trojan: Blackmail software infects 17,000 German computers in one day. In: Spiegel Online . February 19, 2016. Retrieved February 19, 2016 .
^ ^A ^b Ronald Eikenberg: Locky crypto-Trojan rages in Germany: Over 5000 infections per hour. In: heise Security . February 19, 2016. Retrieved February 19, 2016 .
↑ Heise Security: A bill works out , accessed on February 26, 2016.
↑ Ronald Eikenberg: New scam: crypto-Trojan Locky distributed via Javascript files. In: heise Security. February 22, 2016. Retrieved February 24, 2016 .
↑ ( Pastebin ): Manual Deobfuscation. Archived from the original on February 25, 2016 ; Retrieved on February 25, 2016 (unraveled malicious code of the reloading e-mail attachment for study purposes).
↑ Ronald Eikesberg: New viruses wave: crypto Trojan Locky masquerades as a fax. In: heise Security. February 24, 2016. Retrieved February 25, 2016 .
↑ Ronald Eikenberg: Locky crypto-Trojan: Batch files infect Windows, tool promises protection. In: heise online . February 26, 2016. Retrieved February 26, 2016 .
↑ Ronald Eikenberg: BKA warning against Locky contains virus. In: heise online. March 2, 2016, accessed March 3, 2016 .
↑ Hauke Gierow: Necurs is coming back and brings Locky with him a million times. In: Golem.de. June 24, 2016. Retrieved June 26, 2016 .
↑ BSI : Ransomware: Blackmail malware. (No longer available online.) In: BSI für Bürger . February 9, 2016, archived from the original on February 21, 2016 ; accessed on February 21, 2016 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2
↑ Article "Locky and the League of Extraordinary Malware" on ZEIT.de, accessed on March 8, 2016 .
↑ Martin Holland, Ronald Eikenberg: Crypto-Trojan Locky: What to do against the Windows malware. In: heise Security. February 19, 2016, accessed February 27, 2016 .
↑ BSI: Ransomware: Blackmail malware. (No longer available online.) In: BSI für Bürger. February 9, 2016, archived from the original on February 21, 2016 ; accessed on February 26, 2016 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2

[1] Jörg Breithut: "Locky" Trojan: Blackmail software infects 17,000 German computers in one day. In: Spiegel Online . February 19, 2016. Retrieved February 19, 2016 .

[heise-2016-02-19-2] A ^b Ronald Eikenberg: Locky crypto-Trojan rages in Germany: Over 5000 infections per hour. In: heise Security . February 19, 2016. Retrieved February 19, 2016 .

[3] Heise Security: A bill works out , accessed on February 26, 2016.

[4] Ronald Eikenberg: New scam: crypto-Trojan Locky distributed via Javascript files. In: heise Security. February 22, 2016. Retrieved February 24, 2016 .

[5] ( Pastebin ): Manual Deobfuscation. Archived from the original on February 25, 2016 ; Retrieved on February 25, 2016 (unraveled malicious code of the reloading e-mail attachment for study purposes).

[6] Ronald Eikesberg: New viruses wave: crypto Trojan Locky masquerades as a fax. In: heise Security. February 24, 2016. Retrieved February 25, 2016 .

[7] Ronald Eikenberg: Locky crypto-Trojan: Batch files infect Windows, tool promises protection. In: heise online . February 26, 2016. Retrieved February 26, 2016 .

[8] Ronald Eikenberg: BKA warning against Locky contains virus. In: heise online. March 2, 2016, accessed March 3, 2016 .

[9] Hauke Gierow: Necurs is coming back and brings Locky with him a million times. In: Golem.de. June 24, 2016. Retrieved June 26, 2016 .

[10] BSI : Ransomware: Blackmail malware. (No longer available online.) In: BSI für Bürger . February 9, 2016, archived from the original on February 21, 2016 ; accessed on February 21, 2016 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2

[11] Article "Locky and the League of Extraordinary Malware" on ZEIT.de, accessed on March 8, 2016 .

[12] Martin Holland, Ronald Eikenberg: Crypto-Trojan Locky: What to do against the Windows malware. In: heise Security. February 19, 2016, accessed February 27, 2016 .

[13] BSI: Ransomware: Blackmail malware. (No longer available online.) In: BSI für Bürger. February 9, 2016, archived from the original on February 21, 2016 ; accessed on February 26, 2016 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2