[VB 2016] LOCKY STRIKE: Smoking the Locky Ransomware Code
This is an in depth take
on the Locky Ransomware which was presented at VB 2016 in Denver.
In this paper, we will
delve into the technical details of the Locky ransomware. We will focus on
three technical aspects: its system behaviour, domain generation algorithm
(DGA), and C&C communication.
Initially, we will talk
about Locky's prevalence in the wild and how it behaves on landing on a PC. We
will then look at its DGA details and how we are able to simulate it in an
automated fashion for C&C domain harvesting.
The paper will also
explore Locky's obfuscated C&C communications including its parameters,
encryption and decryption. As a result of these findings, we will demonstrate
how we successfully spoofed HTTP requests to the C&C servers to force it to
respond with certain information, such as targeted countries.
The paper will conclude
with some insights into Locky's operation and how these findings ultimately
translate to actionable threat intelligence that can be used to protect users.