Ransom_LOCKY usually arrives via social engineered spam mails to trick users into clicking the attachment.
No exploit was used in the spam. The user has to click the attachment to initiate the infection chain; which has been observed to contain a DOC file that has a macro code that drops a BAT file when executed. The BAT files also drops a VBS file which downloads this ransomware.
It deletes shadow copies by running vssadmin.exe and adds a run key entry to enable its execution at every system start-up. The run key entry enables the ransomware to continue encrypting files even if interrupted during the previous execution.
The dropped copy, once executed, attempts to retrieve a unique ID, public key and ransom note from the registry. If it fails to retrieve information from the registry, it contacts its C&C server to obtain this specific information and saves it to the registry.
The public key is used for its RSA encryption algorithm.
ZEPTO is known to share technical similarities with LOCKY, especially with spam email-based distribution methods to the use of RSA encryption keys for locking certain file types.
Since LOCKY’s discovery in February 2016, it has continued to evolve and successfully target both individuals and businesses, and has been used in a number of high-profile ransomware attacks on healthcare facilities.
After a binary is downloaded and executed, local files are encrypted and the malware displays a message for the victim demanding payment in Bitcoin. The user receives instruction screens in an .HTML file dropped by the malware, an image file, and a background/wallpaper change. ZEPTO appears to be gaining some traction due to its efficient attack vector—a widespread spam campaign, whereas most ransomware is delivered via other vectors.
Click image to enlarge.
Antispam Pattern
LAYER | DETAIL | PATTERN VERSION | Release Date |
---|---|---|---|
DYNAMIC | Spam Mail with attached document | AS 2146 | 2/21/2016 |
VSAPI Pattern (Malicious File Detection)
LAYER | DETECTION | PATTERN VERSION | Release Date |
---|---|---|---|
INFECTION | HB_LOCKYJ | ENT 12.393.00 | 3/9/2016 |
INFECTION | HB_LOCKYM | ENT 12.407.00 | 3/15/2016 |
INFECTION | Ransom_LOCKY.SM | ENT 12.359.00 | 02/24/16 |
INFECTION | Ransom_LOCKY.SM0 | ENT 12.359.00 | 2/24/2016 |
INFECTION | Ransom_LOCKY.SM1 | ENT 12.361.00 | 02/25/16 |
INFECTION | Ransom_LOCKY.SM2 | ENT 12.361.00 | 02/25/16 |
INFECTION | W2KM_LOCKY.A | ENT 12.349.00 | 02/17/16 |
INFECTION | X2KM_LOCKY.A | ENT 12.351.00 | 02/18/16 |
INFECTION | JS_LOCKY.A | ENT 12.353.00 | 02/18/16 |
INFECTION | RANSOM_LOCKY.DLDSW | ENT 12.637.00 | 7/8/2016 |
WRS Pattern (Malicious URL and Classification)
LAYER | URL | CATEGORY | Blocking Date |
---|---|---|---|
INFECTION | ecoledecorroy{blocked}.be/1/1.exe | Virus Accomplice | 2/19/2016 |
INFECTION | ratgeber-beziehung{blocked}.de/5/5.exe | Virus Accomplice | 2/19/2016 |
INFECTION | luigicalabrese{blocked}.it/7/7.exe | Virus Accomplice | 2/19/2016 |
INFECTION | animar{blocked}.net.pl/3/3.exe | Virus Accomplice | 2/19/2016 |
CLEAN-UP | sso{blocked}.anbtr.com/domain/kqlxtqptsmys.in | Ransomware | 2/20/2016 |
CLEAN-UP | xsso{blocked}.kqlxtqptsmys.in/c43344d5351f579349b5f90e1a038859 | Ransomware | 2/20/2016 |
CLEAN-UP | pvwinlrmwvccuo{blocked}.eu/main.php | Ransomware | 2/19/2016 |
CLEAN-UP | wblejsfob{blocked}.pw | Ransomware | 2/20/2016 |
CLEAN-UP | kqlxtqptsmys{blocked}.in | Ransomware | 2/20/2016 |
CLEAN-UP | xsso{blocked}.kqlxtqptsmys.in | Ransomware | 2/20/2016 |
CLEAN-UP | cgavqeodnop{blocked}.it | Ransomware | 2/20/2016 |
CLEAN-UP | pvwinlrmwvccuo{blocked}.eu | Ransomware | 2/20/2016 |
CLEAN-UP | kvm17915{blocked}.hv9.ru | Ransomware | 2/20/2016 |
CLEAN-UP | kqlxtqptsmys{blocked}.in/main.php | Ransomware | 2/20/2016 |
CLEAN-UP | mondero{blocked}.ru/system/logs/56y4g45gh45h | Disease Vector | 2/19/2016 |
CLEAN-UP | pvwinlrmwvccuo{blocked}.eu/main.php | Ransomware | 2/20/2016 |
CLEAN-UP | tcpos.com{blocked}.vn/system/logs/56y4g45gh45h | Ransomware | 2/20/2016 |
CLEAN-UP | www{blocked}.bag-online.com/system/logs/56y4g45gh45h | Ransomware | 2/20/2016 |
CLEAN-UP | 31{blocked}.41.47.37/main.php | Ransomware | 2/20/2016 |
CLEAN-UP | 188{blocked}.138.88.184/main.php | Ransomware | 2/20/2016 |
CLEAN-UP | 95{blocked}181.171.58 | C&C server | 2/19/2016 |
CLEAN-UP | 185{blocked}.14.30.97 | C&C server | 2/27/2016 |
CLEAN-UP | 109{blocked}.234.38.35 | Disease Vector | 2/19/2016 |
AEGIS Pattern (Behavior Monitoring Pattern)
LAYER | DETECTION | PATTERN VERSION | Release Date |
---|---|---|---|
DYNAMIC | 1981T | TMTD 1526 | 3/23/2016 |
DYNAMIC | 1981F | TMTD 1529 | 4/5/2016 |
DYNAMIC | 1980T | TMTD 1526 | 3/23/2016 |
DYNAMIC | 1980F | TMTD 1529 | 4/5/2016 |
DYNAMIC | 1856T | OPR 1483 | 10/6/2015 |
DYNAMIC | RAN2013T | OPR 1565 | 7/21/2016 |
DYNAMIC | RAN4705T | OPR 1581 | 9/1/2016 |
DCT Pattern (System Clean Pattern)
LAYER | DETECTION | PATTERN VERSION | Release Date |
---|---|---|---|
CLEANUP | TSC_GENCLEAN | Latest DCT OPR | BUILT-IN |
Network Pattern
LAYER | DETECTION | PATTERN VERSION | Release Date |
---|---|---|---|
CLEANUP | HTTP_RANSOM_LOCKY_REQUEST | RR 1.10151.00 | 3/15/2016 |
Solution Map - What should customers do?
Major Products | Versions | Virus Pattern | Behavior Monitoring | Web Reputation | DCT Pattern | Antispam Pattern | Network Pattern |
---|---|---|---|---|---|---|---|
OfficeScan | 11 SP1 above |
| Turn On Ransomware Protection Feature/Update Pattern via Web console | Enable Web Reputation Service* |
|
|
|
10.6 and above | Update Pattern via web console | ||||||
Worry Free Business Suite | 9 SP1 above | Turn On Ransomware Protection Feature/Update Pattern via Web console | |||||
8 and above | Update Pattern via web console | Update Pattern via web console | |||||
Hosted Email Security | |||||||
Deep Security | 8.0 and above | Not Applicable | Update Pattern via web console | Not Applicable | Update Pattern via Web console | ||
ScanMail | SMEX 10 and later | Not Applicable | Update Pattern via Web console | Not Applicable | |||
SMD 5 and later | |||||||
InterScan Messaging | IMSVA 8.0 and above | ||||||
InterScan Web | IWSVA 6.0 and later | ||||||
Deep Discovery | DDI 3.0 and later | Not Applicable | Update Pattern via web console | ||||
DDAN | |||||||
DDEI |
Recommendations
- Ransomware: Trend Micro Solutions, Best Practice Configuration and Prevention
- Recommendations on how to best protect your network using Trend Micro products
- Submitting suspicious or undetected virus for file analysis to Technical Support
Threat Report
Blog