Research Centre

[BLACKALPS2017] LOCKY STRIKE: Smoking the Locky Ransomware Code

This is the updated findings we found in Locky ransomware which was presented in Black Alps 2017.

Locky born early 2016 had quickly become one of the prevalent pieces of ransomware in the wild having massive campaigns that landed on at least 90,000 PCs per day around the world on its early debut. It was clear during that time that Locky would be a major ransomware threat that both end-users and enterprises would be facing. 
More than a year and a half later, Locky continues its massive ransomware attacks at a scale of 23 million infected emails being circulated in just 24 hours. Locky also holds majority of the ransomware profit with a conservative figure of $7.8 million in it’s less than 2 years of operation. The more revenue Locky ransomware generates, equates to more it can invest in it being effective and being distributed more widely. 
The talk will detail the result of the continuous monitoring of Locky. This will delve into the technical details of the Locky ransomware. It will focus on three technical aspects: its system behaviour, its configuration, and C&C communication. 
Initially, the topic will talk about Locky’s prevalence in the wild and how it behaves on landing on a PC. An overview on the timeline of Locky’s changes and improvements to remain effective will be presented. 
The talk will also have a detailed understanding of the configuration of Locky, this would include the automation on extracting said configuration. 
The talk will also explore Locky’s obfuscated C&C communications including its parameters, encryption and decryption. As a result of these findings we will have a better understanding on how Locky communicates to its C&C and the data being sent on every request. 
Finally, using the technical knowledge acquired in the research, the talk will conclude with some insights into Locky's operation and how these findings ultimately translate to actionable threat intelligence that can be used to protect users.