If you’re like me, you occasionally receive the odd spam, or phishing email that wants you to open a zipped attachment pertaining to hold some invoice or information that you need to see. Unfortunately, if you do manage to open the zipped file from an email that you weren’t expecting, you could be opening up your system or systems to a particularly nasty piece of malware, called ‘Locky’ which is a ‘ransomware’ type of malware. Unfortunately, not all variants of Locky have been decrypted and you may end up paying for access to your own files. The ransom is currently set to 0.25 bitcoin, which at recent market prices is around $ 1,250 USD. I won’t go into the actual analysis of the Locky file, but will explain how the infection works.
The file uses a rather simple VBS script (Visual Basic Scripting) to infect a Windows based system. Parts of the code are actually ‘filler’ and don’t really do anything but the line in the code that does all the damage is this. Note that this line is modified to mask the actual site to prevent the accidental download of the ransomware file.
krapivec = Array("site**********.3g76fh?",
What this snippet of code does is queries the sites looking for a file named
and then downloads it to your system, and executes it. This runs the actual encryption routine and encrypts all your files on your system, plus propagates through your network as well, infecting other systems.
This is one variant of Locky. Others will download files with different names, but the results are always the same, complete encryption of your drive, and all other mounted drives, such as thumb drives, network shares, and can infect Windows, Linux, OSX as well although the main infection requires VBS macros to be enabled. Typically, if you open the attachment, it will appear as just ‘gobble gook’ and it will ask you to enable macros in order to see the file correctly. NEVER enable macros for any file that you were not expecting nor know the sender of.
Unfortunately in our connected world, there will always be someone who has malicious intent and with the case of Locky, can do some serious harm to both personal and corporate systems. As always, pay attention to the emails you receive and if in doubt, delete the email.