Ransom_LOCKY usually arrives via social engineered spam mails to trick user into clicking the attachment.
No exploits are used in the spam. Clicking the attached DOC file triggers its execution. This DOC has a macro code that then drops a BAT file. The BAT file will also drop a VBS file which performs the download of Ransom_LOCKY.
The ransomware then deletes shadow copies by running vssadmin.exe. It adds a run key entry to enable its execution during every system start-up. The run key entry enables it to continue encrypting files if interrupted during previous executions.
The dropped copy, once executed, attempts to retrieve a unique ID, public key and ransom note from a certain registry. If it fails to retrieve information from this registry, it contacts its C&C server to obtain those information and saves it to the registry.
The public key is used for its RSA encryption algorithm.
Antispam Pattern
LAYER | DETAILS | PATTERN VERSION | RELEASE DATE |
DYNAMIC | Spam Mail with attached document | AS 2146 | 2/21/2016 |
VSAPI Pattern (Malicious File Detection)
LAYER | DETECTION | PATTERN VERSION | RELEASE DATE |
INFECTION | HB_LOCKYJ | ENT 12.393.00 | 3/9/2016 |
INFECTION | HB_LOCKYM | ENT 12.407.00 | 3/15/2016 |
INFECTION | Ransom_LOCKY.SM | ENT 12.359.00 | 2/24/2016 |
INFECTION | Ransom_LOCKY.SM0 | ENT 12.359.00 | 2/24/2016 |
INFECTION | Ransom_LOCKY.SM1 | ENT 12.361.00 | 2/25/2016 |
INFECTION | Ransom_LOCKY.SM2 | ENT 12.361.00 | 2/25/2016 |
WRS Pattern (Malicious URL and Classification)
LAYER | URL | CATEGORY | BLOCKING DATE |
INFECTION | _http://{BLOCKED}.be/1/1.exe | Virus Accomplice | 2/19/2016 |
INFECTION | _http://{BLOCKED}.de/5/5.exe | Virus Accomplice | 2/19/2016 |
INFECTION | _http://{BLOCKED}.it/7/7.exe | Virus Accomplice | 2/19/2016 |
INFECTION | _http://{BLOCKED}.pl/3/3.exe | Virus Accomplice | 2/19/2016 |
CLEAN-UP | _http://{BLOCKED}.in | Ransomware | 2/20/2016 |
CLEAN-UP | _http://{BLOCKED}.in/c43344d5351f579349b5f90e1a038859 | Ransomware | 2/20/2016 |
CLEAN-UP | _http://{BLOCKED}.eu/main.php | Ransomware | 2/19/2016 |
CLEAN-UP | _http://{BLOCKED}.pw | Ransomware | 2/20/2016 |
CLEAN-UP | _http://{BLOCKED}.in | Ransomware | 2/20/2016 |
CLEAN-UP | _http://{BLOCKED}.in | Ransomware | 2/20/2016 |
CLEAN-UP | _http://{BLOCKED}.it | Ransomware | 2/20/2016 |
CLEAN-UP | _http://{BLOCKED}.eu | Ransomware | 2/20/2016 |
CLEAN-UP | _http://{BLOCKED}.ru | Ransomware | 2/20/2016 |
CLEAN-UP | _http://{BLOCKED}.in/main.php | Ransomware | 2/20/2016 |
CLEAN-UP | _http://{BLOCKED}.ru/system/logs/56y4g45gh45h | Disease Vector | 2/19/2016 |
CLEAN-UP | _http://{BLOCKED}.eu/main.php | Ransomware | 2/20/2016 |
CLEAN-UP | _http://{BLOCKED}.vn/system/logs/56y4g45gh45h | Ransomware | 2/20/2016 |
CLEAN-UP | _http://{BLOCKED}.com/system/logs/56y4g45gh45h | Ransomware | 2/20/2016 |
CLEAN-UP | _http://{BLOCKED}/main.php | Ransomware | 2/20/2016 |
CLEAN-UP | _http://{BLOCKED}/main.php | Ransomware | 2/20/2016 |
AEGIS Pattern (Behavior Monitoring Pattern)
LAYER | DETECTION | PATTERN VERSION | RELEASE DATE |
DYNAMIC | 1981T | TMTD 1526 | 3/23/2016 |
DYNAMIC | 1981F | TMTD 1529 | 04/05/16 |
DYNAMIC | 1980T | TMTD 1526 | 3/23/2016 |
DYNAMIC | 1980F | TMTD 1529 | 04/05/16 |
DYNAMIC | 1856T | OPR 1483 | 10/6/2015 |
DCT Pattern (System Clean Pattern)
LAYER | DETECTION | PATTERN VERSION | RELEASE DATE |
CLEANUP | TSC_GENCLEAN | Latest DCT OPR | BUILT-IN |
Network Pattern
LAYER | DETECTION | PATTERN VERSION | RELEASE DATE |
CLEANUP | HTTP_RANSOM_LOCKY_REQUEST | RR 1.10151.00 | 3/15/2016 |
Solution Map
Major Products | Versions | Virus Pattern | Behavior Monitoring | Web Reputation | DCT Pattern | Antispam Pattern | Network Pattern |
---|---|---|---|---|---|---|---|
OfficeScan | 10.6 and above | Update Pattern via web console | Update Pattern via web console | Enable Web Reputation Service* | Update Pattern via web console | N/A | Update Pattern via web console |
Deep Security | 8.0 and above | N/A | N/A | ||||
ScanMail | SMEX 10 and later | N/A | N/A | Update Pattern via web console | N/A | ||
SMD 5 and later | N/A | N/A | N/A | ||||
InterScan Messaging | IMSVA 8.0 and above | N/A | N/A | N/A | |||
InterScan Web | IWSVA 6.0 and later | N/A | N/A | N/A | |||
Deep Discovery | DDI 3.0 and later | N/A | N/A | N/A | Update Pattern via web console |
Recommendations
- Ransomware: Trend Micro Solutions, Best Practice Configuration and Prevention
- Recommendations on how to best protect your network using Trend Micro products
Threat Report
Blog