Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Emerging Threat on RANSOM_LOCKY

    • Updated:
    • 10 May 2016
    • Product/Version:
    • Deep Discovery Inspector 3.6
    • Deep Discovery Inspector 3.7
    • Deep Discovery Inspector 3.8
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • InterScan Web Security Virtual Appliance 6.0
    • InterScan Web Security Virtual Appliance 6.5
    • OfficeScan 10.6
    • OfficeScan 11.0
    • ScanMail for Exchange 10.2
    • ScanMail for Exchange 11.0
    • ScanMail for Exchange 12.0
    • ScanMail for IBM Domino 5.6 Linux
    • ScanMail for IBM Domino 5.6 Windows
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • N/A N/A
Summary

Ransom_LOCKY usually arrives via social engineered spam mails to trick user into clicking the attachment.

No exploits are used in the spam. Clicking the attached DOC file triggers its execution. This DOC has a macro code that then drops a BAT file. The BAT file will also drop a VBS file which performs the download of Ransom_LOCKY.

The ransomware then deletes shadow copies by running vssadmin.exe. It adds a run key entry to enable its execution during every system start-up. The run key entry enables it to continue encrypting files if interrupted during previous executions.

The dropped copy, once executed, attempts to retrieve a unique ID, public key and ransom note from a certain registry. If it fails to retrieve information from this registry, it contacts its C&C server to obtain those information and saves it to the registry.

The public key is used for its RSA encryption algorithm.

”locky”

Antispam Pattern

LAYERDETAILSPATTERN VERSIONRELEASE DATE
DYNAMICSpam Mail with attached documentAS 21462/21/2016

VSAPI Pattern (Malicious File Detection)

LAYERDETECTIONPATTERN VERSIONRELEASE DATE
INFECTIONHB_LOCKYJENT 12.393.003/9/2016
INFECTIONHB_LOCKYMENT 12.407.003/15/2016
INFECTIONRansom_LOCKY.SMENT 12.359.002/24/2016
INFECTIONRansom_LOCKY.SM0ENT 12.359.002/24/2016
INFECTIONRansom_LOCKY.SM1ENT 12.361.002/25/2016
INFECTIONRansom_LOCKY.SM2ENT 12.361.002/25/2016

WRS Pattern (Malicious URL and Classification)

LAYERURLCATEGORYBLOCKING DATE
INFECTION_http://{BLOCKED}.be/1/1.exeVirus Accomplice2/19/2016
INFECTION_http://{BLOCKED}.de/5/5.exeVirus Accomplice2/19/2016
INFECTION_http://{BLOCKED}.it/7/7.exeVirus Accomplice2/19/2016
INFECTION_http://{BLOCKED}.pl/3/3.exeVirus Accomplice2/19/2016
CLEAN-UP_http://{BLOCKED}.inRansomware2/20/2016
CLEAN-UP_http://{BLOCKED}.in/c43344d5351f579349b5f90e1a038859Ransomware2/20/2016
CLEAN-UP_http://{BLOCKED}.eu/main.phpRansomware2/19/2016
CLEAN-UP_http://{BLOCKED}.pwRansomware2/20/2016
CLEAN-UP_http://{BLOCKED}.inRansomware2/20/2016
CLEAN-UP_http://{BLOCKED}.inRansomware2/20/2016
CLEAN-UP_http://{BLOCKED}.itRansomware2/20/2016
CLEAN-UP_http://{BLOCKED}.euRansomware2/20/2016
CLEAN-UP_http://{BLOCKED}.ruRansomware2/20/2016
CLEAN-UP_http://{BLOCKED}.in/main.phpRansomware2/20/2016
CLEAN-UP_http://{BLOCKED}.ru/system/logs/56y4g45gh45hDisease Vector2/19/2016
CLEAN-UP_http://{BLOCKED}.eu/main.phpRansomware2/20/2016
CLEAN-UP_http://{BLOCKED}.vn/system/logs/56y4g45gh45hRansomware2/20/2016
CLEAN-UP_http://{BLOCKED}.com/system/logs/56y4g45gh45hRansomware2/20/2016
CLEAN-UP_http://{BLOCKED}/main.phpRansomware2/20/2016
CLEAN-UP_http://{BLOCKED}/main.phpRansomware2/20/2016

AEGIS Pattern (Behavior Monitoring Pattern)

LAYERDETECTIONPATTERN VERSIONRELEASE DATE
DYNAMIC1981TTMTD 15263/23/2016
DYNAMIC1981FTMTD 152904/05/16
DYNAMIC1980TTMTD 15263/23/2016
DYNAMIC1980FTMTD 152904/05/16
DYNAMIC1856TOPR 148310/6/2015

DCT Pattern (System Clean Pattern)

LAYERDETECTIONPATTERN VERSIONRELEASE DATE
CLEANUPTSC_GENCLEANLatest DCT OPRBUILT-IN

Network Pattern

LAYERDETECTIONPATTERN VERSIONRELEASE DATE
CLEANUPHTTP_RANSOM_LOCKY_REQUESTRR 1.10151.003/15/2016
 
Make sure to always use the latest pattern available to detect the old and new variants of Ransom_LOCKY.
Details
Public

Solution Map

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternAntispam PatternNetwork Pattern
OfficeScan10.6 and above








Update Pattern via web console
Update Pattern via web console








Enable Web Reputation Service*

Update Pattern via web console

N/A

Update Pattern via web console
Deep Security8.0 and above
N/A

N/A
ScanMailSMEX 10 and later
N/A

N/A



Update Pattern via web console

N/A
SMD 5 and later
N/A

N/A

N/A
InterScan MessagingIMSVA 8.0 and above
N/A

N/A

N/A
InterScan WebIWSVA 6.0 and later
N/A

N/A

N/A
Deep DiscoveryDDI 3.0 and later
N/A

N/A

N/A
Update Pattern via web console
 
*Refer to your product's Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.

Recommendations

Threat Report

Blog

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Remove a Malware / Virus; Update
Solution Id:
1113859
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.