Skip to content

Locky all over here! also you can remove zepto ransomwar

Look Into Locky Ransomware

Locky is a new ransomware that has been released (most probably) by the Dridex gang. Not surprisingly, it is well prepared, which means that the threat actor behind it has invested sufficient resources for it, including its mature infrastructure. Let’s take a look.

Analyzed samples

Behavioral analysis

Locky is usually delivered via downloader in MS Office document (i.e. DOC) or JavaScript – e-mail attachment in a phishing campaign. The payload is a 32-bit Windows executable, containing the malicious core packed in a crypter/dropper (they are various, with various icons).

locky_samples

After being deployed it disappears and runs its dropped copy (renamed to svchost.exe) from the %TEMP% folder.

Encryption process

Files that have been encrypted are fully renamed. The beginning of the name (first 16 characters) is the unique ID of the victim. Then comes the ID of the file and the extension .locky that is typical for this ransomware.

locky_renamed

The encrypted content has a high level of entropy and no patterns are visible.

Below: visualization of raw bytes of square.bmp. Left: unencrypted, right: encrypted.

enc_square1_bmp  enc_060AADBAB9967724E8B8606C61B1DCCE

After executing, Locky displays the ransom note in text and bitmap forms, setting the latter as the affected user’s wallpaper.

locky_wallpaper

Text is localized to the language detected in the system. Translation looks professional enough (not from the auto translator), which may indicate that the threat actors target multiple countries – and prepared about this particular detail well. See sample translations (Polish, Spanish) here.

Registry keys

Looking at the registry we can find that a few elements have been added.

Key in autorun, to start the malware automatically after the system restart:

autorun

Data specific to the victim – individual ID, public RSA key and text of the ransom note to be displayed:

locky_keys

Public key stored in the registry:

Locky_RSA1

WHAT TO DO?

  • Backup regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
  • Don’t enable macros in document attachments received via email. Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of malware infections rely on persuading you to turn macros back on, so don’t do it!
  • Be cautious about unsolicited attachments. The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt, leave it out.
  • Don’t give yourself more login power than you need. Most importantly, don’t stay logged in as an administrator any longer than is strictly necessary, and avoid browsing, opening documents or other “regular work” activities while you have administrator rights.
  • Consider installing the Microsoft Office viewers. These viewer applications let you see what documents look like without opening them in Word or Excel itself. In particular, the viewer software doesn’t support macros at all, so you can’t enable macros by mistake!
  • Patch early, patch often. Malware that doesn’t come in via document macros often relies on security bugs in popular applications, including Office, your browser, Flash and more. The sooner you patch, the fewer open holes remain for the crooks to exploit.

Locky ransomware removal instructions

Method 1. Remove Locky using Safe Mode with Networking

Step 1: Reboot your computer to Safe Mode with Networking

Windows 7 / Vista / XP

  • Click Start Shutdown Restart OK.
  • When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
  • Select Safe Mode with Networking from the list

Select 'Safe Mode with Networking'

Windows 10 / Windows 8

  • Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
  • Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
  • Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.

Select 'Enable Safe Mode with Networking'

Step 2: Remove Locky

Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Locky removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Reimage is a tool to detect malware. You need to purchase full version to remove infections.
More information about Reimage

Method 2. Remove Locky using System Restore

Step 1: Reboot your computer to Safe Mode with Command Prompt

Windows 7 / Vista / XP

  • Click Start Shutdown Restart OK.
  • When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
  • Select Command Prompt from the list

Select 'Safe Mode with Command Prompt'

Windows 10 / Windows 8

  • Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
  • Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
  • Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.

Select 'Enable Safe Mode with Command Prompt'

Step 2: Restore your system files and settings
  • Once the Command Prompt window shows up, enter cd restore and click Enter.Enter 'cd restore' without quotes and press 'Enter'
  • Now type rstrui.exe and press Enter again..Enter 'rstrui.exe' without quotes and press 'Enter'
  • When a new window shows up, click Next and select your restore point that is prior the infiltration of Locky. After doing that, click Next.When 'System Restore' window shows up, select 'Next'Select your restore point and click 'Next'
  • Now click Yes to start system restore.Click 'Yes' and start system restore

Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Locky removal is performed successfully.

AAKEYY Written by:

I have always expressed myself through creative means, I specialize in writing tech-related articles about the computer industry. I enjoy writing articles about the Internet, making money online, fitness & health.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *