Ransomware, the new generation

Click on images for zoom in!

 

Starting with February, 2016 a new generation of ransomware started, changing the usual files extension in .LOCKY, encrypting all your images, documents, excel files, databases, JavaScript and more. From your harddisk, from your memory USB stick if it is connected and even spreading on your network if there are any saved access to different folders.

As you will see, the virus is very fast, encrypting your data in seconds.

How did it arrive at your computer?

Usual the very first generation came as a word document attach containing a macro. After you access the macro the virus open a connection to a server in order to download the executable file. Once the file transfer is done it will start to encrypt your files, at the end changing your desktop image asking to pay a few bitcoins to receive the key.

The middle generation of this LOCKY ransomware come to your computer as an email attachemnt. But no more document files, from now only .zip files containing a .js (JavaScript file)

Starting with the las week of March 2016, as more and more servers denied the access of .zip attachment to email, the spreaders of this virus made another change: emails containg a .rar archive.

All those email come apparently from your team from office, even from IT Deparment. Usual come in your language and the email appear to be written by a person who knows you or at least who work with you.

The first javascrip code was full of different variables with a lot of lines. A little bit hard to follow, but not impossible as you could see on Image 1. Also most of java scripts was sending the visitors to different IP addresses using .onion sites. On the first generation of LOCKY by .js there was two javascript files into the .zip archive: billing______.js and payment_______.js both of them making the same things. So it was enough to start a single file to destroy your  data.

The actual generation of the virus come in a single .js file with a strange name (Image 2), but it reside in a very nice and friendly email which come apparently from the next door department from your office. Even we speak by .zip or .rar archives it appears to be the same generation of javascript code. It is shorten than the previous versions but more difficult to track the source code. The variables are combined with real words and encrypted one. Also from now the virus access real domain names websites, with some exercise you could read from source code the web address and the infected file which will be delivered  to you when you start the script.

Something very particular this time it is that the programmer of the virus made a lot of comments inside of the source code. For example it is written the comment “Remove a callback from the list remove:”  and it is starting the remove operation.

The script is using the DOM and jquery functions.

As we told, from now the programmers are using real servers, this means that they are using web servers of some companies which did not secured well the accounts or even the servers. Usually it is about the WordPress websites.

Even on  our Custom Cloud Servers we could see a lot of attacks, but about this you will read another time.

IMage 1
IMage 1
Image 2
Image 2

OK, after you already checked the source code you ask yourself  what’s happening with your computer if you click.

As you could see on the image first you have a very nice computer, with very nice pictures inside. We choose pictures as this will make a better idea to you. Please also observe the blue background of Windows

1initial_of_locky_ransomware

 

Once you opened the .js file, in our case named ‘New Text Document(309).js a new process will be opened after executing the script: it is the very fresh downloaded file from server. You could see this on TaskManager. The name in our case it is hbjLofGOU.exe. During this, for only a few more seconds you could see that the images are still there.

2starting_javascript_of_locky_ransomware

… but not for a long time! This because the virus will rewrite in only a few seconds all your documents, excel files, databases, images, PDF files….. with new files with coded names and a single extention: .LOCKY. So, after doing this you will see a message which explain you that your files are encrypted with RSA-2048 and AES-128 ciphers. You will  receive also some links to some .onion sites which are available using a TOR browser. Using this it become very difficult to find the real IP of the fraudulent person. If you follow the link you will find the instruction on how to pay a few bitcoins (one bitcoun value more than 400 EUROs) with the promise that you will receive the key for your files. Usual you will receive a sample for one or two decrypted files.

3encrypted_computer_by_locky_ransomware

If you still think that on your display it is just a joke and you minimize this new windows you will see all your files changed, impossible to access, in each changed folder you will find a text document named _HELP_instructions.txt with the same message from the image. You could also see that the nice blue backgroun image of your desktop changed in a dark gray one with the same text.

4encrypted_images_by_locky_ransomware

 

From now it is more than clear that your data it is lost.

From our experience it is more than tricky to decrypt by yourself the files. Even with the best programs it will take you more than 1000 years to find the key. As you could see even the file names are completely randomized as names.

On the next days we will show you what can you try to recover the files, today we will learn you what you  should do to not need to know how to recover the files.

First let’s get back to think how did we infected our computer.

We received a friendly email apparently from a coworker of us, or from a client of us. An email written in our language, made very personal. This email could contain a .doc, a .zip or a .rar file.

Now once we receive an attachment we are in a hurry to open it, but STOP!

Let’s say that it is a Microsoft .doc file. We open it and we see some impossible to understand text. But Word is telling us that the document contain a MACRO and that we should enable it. Here you should stop and ask yourself if this it is a valid document. For sure it is not and it is better to close on the same second the file. You could call the sender asking him if he/she sent you an attachment like this. Even it is your boss it is better to ask him than to loose all your company documents.

Now, if you receive a .zip or .rar file and you open, you will see one or two .js files. If you cannot see the extension of your files (this it is the default in Microsoft Windows ) you see an usual for you icon for that file. You could check on Image 1. So if you are not a programmer for sure nobody send you .js files. So close urgently the archive folder and delete it from your computer. Again you could call the sender to ask him if he/she sent to you that email.

So it is a virus in your company. Keep in mind that if you received an email from Lucy doesn’t mean that her computer is infected. Your first step it is to announce the IT Department. If you don’t have one try to talk to your boss. Explain what’s happening to your coworkers. Think that for example, all of you have access to a shared folder in network and somebody got infected, the virus will encrypt all the documents from the shared folder.

You could also make backups of you sensitive data on sticks, external hard disks or DVDs. But please keep in mind that only the DVD it is read-only. So detach the USB media storage after you make the back-up. If not the virus will encrypt your external device.

With a little attention to each attachment you will never have problems like this.

 

What we will learn you on the next period: how to try to recover your data after a ransomware attack, what if you have an antivirus program which doesn’t find the virus (movie), what are we doing in order to minimize the impact of the viruses on our mail and web servers and many more.