On February 16, 2016, PhishMe’s Intelligence team identified a number of significantly large sets of emails delivering Word documents containing macro scripts used to download a malware payload. This malware delivery technique has been ubiquitous among many threat actors over the past year but has been most prolifically used by threat actors delivering the Dridex financial crimes trojan. The scope of Locky’s delivery in its first full day of deployment is staggering. As our friends at Palo Alto Networks have shown, over 400,000 endpoints around the world were affected by this encryption ransomware in mere hours. As we pointed out in our recent piece on Dridex, nearly three quarters of Dridex samples in 2015 where delivered using some form of Office documents using macro scripts as a download tool.

The payload delivered by these February 16 documents was something very different from Dridex. The malware ultimately delivered by these messages was a new encryption ransomware referring to itself as Locky.

The similarity of the messages and the OfficeMacro documents used to deliver this encryption ransomware to those used to deliver Dridex is striking. Even the payload URLs were constructed in such a way that resembles the naming convention used to deliver Dridex. The following sets of payload URLs show the shared naming convention in both Dridex and Locky delivery processes. (Figures 1 and 2)

Figure 1

Figure 1. Dridex payload URIs

Figure 2

Figure 2. Locky payload URIs

Each message recommends that the recipient view the attached Word document—a document purported to contain an invoice for which payment is to be made. Once the Locky payload is downloaded and executed, the malware begins to encrypt a wide variety of files within the affected file system, adding the “.locky” extension to each encrypted file.

Figure 3

Figure 3. Phishing email used to deliver Locky

Since the introduction of the CryptoLocker encryption ransomware in 2013, this category of destructive malware has become one of the most popular tools for monetizing malware distribution by threat actors. Rather than playing a long game where the threat actor must collect credentials and in turn use them for financial gains, encryption ransomware puts the ball squarely in the victim’s collective court. This is because the monetization scheme for users of this malware category relies on the fact that each victim is generally faced with the option of paying a significantly large sum of money or losing access to files stored on their computer or network.

For most individuals, these documents may represent valuable memories or crucial professional work. For many small- and medium-sized companies, the files targeted by encryption ransomware may represent mission-critical files ranging from human resources records to the source files used in software projects.

In all cases, the threat of losing access to information stored on one’s computer is used to extort some sum of money from victims in exchange for an application that is promised to undo the encryption. The threat actor makes a quick few hundred dollars and victims are free to cherish memories or continue without significant interruption to their business operations.

While the similarities between Locky and Dridex delivery documents are pronounced, there were some significant differences as well. One set of documents used to deliver this encryption ransomware broke from the exclusive use of Visual Basic scripting to leverage a small PowerShell script to facilitate the download and execution of the malware payload. A screenshot of a formatted version of this PowerShell script is shown below.

Figure 4

Figure 4. Powershell code to download Locky

These documents, listed below, share many characteristics with ones used to deliver Dridex but instead incorporate the one key difference by using PowerShell.

filename md5 checksum file size in bytes
invoice_S-32443155.doc 7f94e43bb7dc5dad12840550eee86ede 50,688
invoice_S-46241430.doc 0e9fb110afac7a053a751673ba58e5d2 54,784
invoice_S-54559462.doc d2e4984e6ee44a756abfa59f775cc12a 43,008

While it does not seem to provide any crucial or superlative advantage, implementing a short PowerShell script does serve to provide one additional means of evading established expectations. A threat actor may thereby hope to evade existing security processes based on the expectation that their tools will behave in a certain way.

Upon execution, the Locky payloads obtained by these PowerShell scripts first attempt to make contact with a set of domains on which the malware appears to expect to find a “main.php” check-in location. In all samples analyzed by PhishMe Intelligence over numerous simulated infections, none of the domains the malware expected to host “main.php” were found to exist. Instead, after making five attempts, the malware would instead fall back on a “main.php” that could be found directly on an IP address.

This behavior is curious as the initial five domains appear to be the product of a domain generation algorithm but the malware has instead relied on the list of hard-coded command and control IP address locations. These addresses are utilized by the ransomware to report the addition of a newly infected machine.

PhishMe Intelligence believes that the string “rupweuinytpmusfrdeitbeuknltf/main.php” represents the seed for the domain generation algorithm utilized by this malware to produce the list of domains utilized by this malware. However, it is still unclear as to why the threat actor is not utilizing any of the domains in the observed domain generation algorithm output and instead quickly falls back on the hard-coded locations.

As with every other major encryption ransomware, the victim can expect to see a ransom note informing them of the locations at which he or she can access the ransomware’s payment site to render the payment in exchange for the means of decrypting their files. Locky presents this ransom note as a red-on-black bitmap image displayed to the victim as a desktop background and as a plaintext file in Notepad. The payment infrastructure relies on popular Tor2Web proxy providers such as and to provide victims with access their Tor-hosted payment sites.

Figure 5

Figure 5. Information page from Locky

Visiting any of these sites will ultimately redirect to the .onion domain 6dtxgqam4crv6rr6[dot]onion where the victim is presented with myriad ways and instructions for purchasing Bitcoin along with the address to which they are to send the 0.5 Bitcoin ransom. It is believed that the threat actors issue a new Bitcoin address for each infected machine to help hide volume of transactions and prevent investigation into the destination for ransom payments.

Figure 6

Figure 6. Page allowing users to pay to decrypt ransomware

The continued success of this malware will likely rely on its combination of elements utilized by other encryption ransomware—its logical predecessors—as well as the delivery techniques used to deploy the incredibly successful Dridex trojan. Like CryptoLocker, this ransomware appears to leverage a domain generation algorithm but still relies on definite (and probably highly mobile) hard-coded command and control hosts when DGA domains are not available. Furthermore, like CryptoWall, Locky points users to a set of Tor2Web proxies to access their “personalized” payment site. By giving each encrypted file the “.locky” extension, this ransomware gives a nod to the TeslaCrypt encryption ransomware while also gaining the “brand recognition” enjoyed by CryptoWall. Finally, by harnessing the proven effectiveness of the delivery process used to deploy the Dridex financial crimes trojan these threat actors have made a massive impact globally within just hours of deploying their ransomware tool.