The group behind the Locky ransomware has continued to update and improve the malware its distributing, and security researchers have been racing to keep up with the changes. The Talos research team at Cisco is part of that effort and the group has released a new tool that can dump all of the configuration information for a given sample and help defenders track the affiliates distributing the Locky ransomware.
Lucky appeared at the beginning of 2016 and, like many ransomware variants, it is distributed mainly through spam. There are any number of different versions of Locky, and the Cisco Talos tool, called LockyDump, allows users to grab a variant’s configuration data and keep a handle on which variants are being used.
“Using LockyDump you can run a known Locky sample within a virtualized environment and it will extract and provide all of the configuration information for the sample, including the AffilID associated with the sample. The latest variant of Locky made this extraction process increasingly difficult. Once this config extraction changed Talos looked to reverse further Locky samples in an attempt to gain the all important AffilID information,” Warren Mercer and Michael Molyett of Cisco Talos said in a blog post.
“Obtaining the affiliate information for individual samples allows the historical tracking of Locky affiliates to identify trends and other characteristics on an individual affiliate basis such as their primary distribution method of choice e.g. through the use of Exploit Kits (EKs) or spam/phishing email.”
LockyDump is designed for security researchers and others who are engaged in looking at the inner workings of how ransomware behaves, not necessarily for typical users who might face a Locky infection. Along with the numerous variants of Locky, the ransomware is distributed in a couple of different ways: as DLLs or as an executable. This necessitates two different approaches to analyzing the code, Mercer and Molyett said.
“The versions of Locky delivered as EXE files required a different approach to analysis, which is accomplished by executing the malware with LockyDump configured to debug it. The malware is allowed to run until the true code is detected, at which point LockyDump freezes its execution. LockyDump then locates the configuration information and prints it to stdout,” they said in the documentation for the LockyDump utility on GitHub.
The new tool is being released as open source, and Mercer and Molyett said that while Locky spam runs have tailed off in the last few days, that likely won’t last.
“With this in mind be aware that the ever evolving Locky could come back sooner or later with a different method of configuration inclusion which would potentially prevent this tool from working. In that instance we will aim to release an updated version that can continue to operate correctly and as intended,” they said.
Image from Flickr stream of Jon Seidman.