Emerging Threat on RANSOM

Emerging Threat on RANSOM_LOCKY

- Updated:
- 25 Mar 2019
- Product/Version:
- Deep Discovery Inspector 3.6
- Deep Discovery Inspector 3.7
- Deep Discovery Inspector 3.8
- Deep Discovery Inspector 5.0
- Deep Security 10.0
- Deep Security 10.1
- Deep Security 9.0
- Deep Security 9.5
- Deep Security 9.6
- InterScan Messaging Security Virtual Appliance 8.2
- InterScan Messaging Security Virtual Appliance 8.5
- InterScan Messaging Security Virtual Appliance 9.0
- InterScan Messaging Security Virtual Appliance 9.1
- InterScan Web Security Virtual Appliance 6.0
- InterScan Web Security Virtual Appliance 6.5
- OfficeScan 10.6
- OfficeScan 11.0
- ScanMail for Exchange 10.2
- ScanMail for Exchange 11.0
- ScanMail for Exchange 12.0
- ScanMail for Exchange 12.5
- ScanMail for Exchange 14.0
- ScanMail for IBM Domino 5.6 Linux
- ScanMail for IBM Domino 5.6 Windows
- Worry-Free Business Security Standard/Advanced 9.0
- Platform:
- N/A N/A

Ransom_LOCKY usually arrives via social engineered spam mails to trick user into clicking the attachment.

No exploits are used in the spam. Clicking the attached DOC file triggers its execution. This DOC has a macro code that then drops a BAT file. The BAT file will also drop a VBS file which performs the download of Ransom_LOCKY.

The ransomware then deletes shadow copies by running vssadmin.exe. It adds a run key entry to enable its execution during every system start-up. The run key entry enables it to continue encrypting files if interrupted during previous executions.

The dropped copy, once executed, attempts to retrieve a unique ID, public key and ransom note from a certain registry. If it fails to retrieve information from this registry, it contacts its C&C server to obtain those information and saves it to the registry.

The public key is used for its RSA encryption algorithm.

Antispam Pattern

LAYER	DETAILS	PATTERN VERSION	RELEASE DATE
DYNAMIC	Spam Mail with attached document	AS 2146	2/21/2016

VSAPI Pattern (Malicious File Detection)

LAYER	DETECTION	PATTERN VERSION	RELEASE DATE
INFECTION	HB_LOCKYJ	ENT 12.393.00	3/9/2016
INFECTION	HB_LOCKYM	ENT 12.407.00	3/15/2016
INFECTION	Ransom_LOCKY.SM	ENT 12.359.00	2/24/2016
INFECTION	Ransom_LOCKY.SM0	ENT 12.359.00	2/24/2016
INFECTION	Ransom_LOCKY.SM1	ENT 12.361.00	2/25/2016
INFECTION	Ransom_LOCKY.SM2	ENT 12.361.00	2/25/2016

WRS Pattern (Malicious URL and Classification)

LAYER	URL	CATEGORY	BLOCKING DATE
INFECTION	_http://{BLOCKED}.be/1/1.exe	Virus Accomplice	2/19/2016
INFECTION	_http://{BLOCKED}.de/5/5.exe	Virus Accomplice	2/19/2016
INFECTION	_http://{BLOCKED}.it/7/7.exe	Virus Accomplice	2/19/2016
INFECTION	_http://{BLOCKED}.pl/3/3.exe	Virus Accomplice	2/19/2016
CLEAN-UP	_http://{BLOCKED}.in	Ransomware	2/20/2016
CLEAN-UP	_http://{BLOCKED}.in/c43344d5351f579349b5f90e1a038859	Ransomware	2/20/2016
CLEAN-UP	_http://{BLOCKED}.eu/main.php	Ransomware	2/19/2016
CLEAN-UP	_http://{BLOCKED}.pw	Ransomware	2/20/2016
CLEAN-UP	_http://{BLOCKED}.in	Ransomware	2/20/2016
CLEAN-UP	_http://{BLOCKED}.in	Ransomware	2/20/2016
CLEAN-UP	_http://{BLOCKED}.it	Ransomware	2/20/2016
CLEAN-UP	_http://{BLOCKED}.eu	Ransomware	2/20/2016
CLEAN-UP	_http://{BLOCKED}.ru	Ransomware	2/20/2016
CLEAN-UP	_http://{BLOCKED}.in/main.php	Ransomware	2/20/2016
CLEAN-UP	_http://{BLOCKED}.ru/system/logs/56y4g45gh45h	Disease Vector	2/19/2016
CLEAN-UP	_http://{BLOCKED}.eu/main.php	Ransomware	2/20/2016
CLEAN-UP	_http://{BLOCKED}.vn/system/logs/56y4g45gh45h	Ransomware	2/20/2016
CLEAN-UP	_http://{BLOCKED}.com/system/logs/56y4g45gh45h	Ransomware	2/20/2016
CLEAN-UP	_http://{BLOCKED}/main.php	Ransomware	2/20/2016
CLEAN-UP	_http://{BLOCKED}/main.php	Ransomware	2/20/2016

AEGIS Pattern (Behavior Monitoring Pattern)

LAYER	DETECTION	PATTERN VERSION	RELEASE DATE
DYNAMIC	1981T	TMTD 1526	3/23/2016
DYNAMIC	1981F	TMTD 1529	04/05/16
DYNAMIC	1980T	TMTD 1526	3/23/2016
DYNAMIC	1980F	TMTD 1529	04/05/16
DYNAMIC	1856T	OPR 1483	10/6/2015

DCT Pattern (System Clean Pattern)

LAYER	DETECTION	PATTERN VERSION	RELEASE DATE
CLEANUP	TSC_GENCLEAN	Latest DCT OPR	BUILT-IN

Network Pattern

LAYER	DETECTION	PATTERN VERSION	RELEASE DATE
CLEANUP	HTTP_RANSOM_LOCKY_REQUEST	RR 1.10151.00	3/15/2016

Make sure to always use the latest pattern available to detect the old and new variants of Ransom_LOCKY.

Major Products	Versions	Virus Pattern	Behavior Monitoring	Web Reputation	DCT Pattern	Antispam Pattern	Network Pattern
OfficeScan	10.6 and above	Update Pattern via web console	Update Pattern via web console	Enable Web Reputation Service*	Update Pattern via web console	N/A	Update Pattern via web console
Deep Security	8.0 and above	N/A	N/A
ScanMail	SMEX 10 and later	N/A	N/A	Update Pattern via web console	N/A
SMD 5 and later	N/A	N/A	N/A
InterScan Messaging	IMSVA 8.0 and above	N/A	N/A	N/A
InterScan Web	IWSVA 6.0 and later	N/A	N/A	N/A
Deep Discovery	DDI 3.0 and later	N/A	N/A	N/A	Update Pattern via web console

Major Products

Versions

Virus Pattern

Behavior Monitoring

Web Reputation

DCT Pattern

Antispam Pattern

Network Pattern

OfficeScan

10.6 and above

Update Pattern via web console

Enable Web Reputation Service*

Update Pattern via web console

N/A

Update Pattern via web console

Deep Security

8.0 and above

N/A

ScanMail

SMEX 10 and later

N/A

Update Pattern via web console

N/A

SMD 5 and later

N/A

InterScan Messaging

IMSVA 8.0 and above

N/A

InterScan Web

IWSVA 6.0 and later

N/A

Deep Discovery

DDI 3.0 and later

N/A

Update Pattern via web console

Need More Help?

Emerging Threat on RANSOM_LOCKY