Locker Ransomware Utilizes a Unique Delivery Mechanism

Pierluigi Paganini May 30, 2015

The cyber security expert Michael Fratello has made a detailed analysis of the locker ransomware that implements a unique delivery mechanism

On May 25th, 2015, a wave of reports came flooding in from users around the globe, claiming that their computers have become compromised.  Messages from users looking for help began appearing on forums such as Bleeping Computer, where screenshots and further information regarding the incident came to light.

It became clear that these users had become infected with a new variant of ransomware whose name, derived from the window that opens on the infected device, has been dubbed the “Locker” ransomware by Lawrence Abrams of Bleeping Computer.

The delivery mechanism of this new ransomware variant is quite interesting.  Not only did this variant utilize a chain of various services and executables to reach its final stage, but it appears that the Trojan Downloader that retrieve the ransomware payload did so in a fashion that can be described as quite similar to a “logic bomb”.  At midnight on the 25 ransomware variant is quite interesting.

Where did this Trojan Downloader come from?  This question has been answered to some extent, but speculation remains as to whether additional infection vectors exist, or if the downloader is being spread by additional malicious software.  However, one infection vector has become known: a cracked copy of Minecraft; specifically, the cracked “Team Extreme” version of Minecraft.downloader is being spread by additional malicious software.

The Locker Ransomware

Like the various other ransomware variants that we have observed in-the-wild, Locker will enumerate the targeted device’s local file system, searching for specific file extensions of files to encrypt.  After enumerating the file system and performing its encryption activities, leveraging AES encryption, Locker opened a window containing a ransom note and information regarding the infection.

This window explains what occurred to the file system and provides payment information and demands an initial ransom of .1 bitcoins.

The ransomware variants that we have observed in-the-wild, Locker will enumerate the targeted device’s local file system, searching for specific file extensions of files to encrypt.

Locker affects all versions of Windows; this includes Windows XP, Windows 7, and Windows 8.  The Trojan Downloader that delivers Locker is installed as a Windows service with a random file name; the executable file that installs the downloader resides in the downloader resides in the downloader resides in the downloader resides in the C:\Windows\SysWOW64 directory of the affected file system.

Additionally, another service was installed in the following directory: C:\ProgramData\Steg\ with a file name of Steg.exe.  When executed, this service creates a folder under C:\ProgramData\ named Tor.  Furthermore, after the creation of the Tor folder, yet another service was installed, titled “LDR”.  Its associated executable resides within C:\ProgramData\rkcl\ as ldr.exe.

This service, whose name can be interpreted as “LOADER”, then installed and launched an executable within the same directory (C:\ProgramData\rkcl), saved as rkcl.ee.  This program is the primary executable responsible for Locker’s ransomware activities.

Affected Files

Locker will enumerate the local file system, search all drives mounted with a letter, to discover supported data files that it will compromise.  Targeted files are discovered via Locker searching the local file system for all files with supported extensions.  However, this search is performed using a case-sensitive search; lower-case file extensions (i.e. .doc) would be affected, however, upper-case file extensions (i.e. DOC) would not be affected.

Recovery

Locker’s detrimental activities do not cease upon completion of file system enumeration and encryption.  Upon completion of the encryption activities, Locker will attempt to delete all Volume Shadow Copies (VSCs) found within the targeted file system.

This prevents the victim from using System Restore or the “Previous Versions” tab found within the properties menu of a file to restore the affected file to its previous state.  The command issued by Locker to delete all Volume Shadow Copies is:

vssadmin.exe delete shadows /for=C: /all /quiet

Evasion Techniques

Locker performs several techniques to evade analysis.  Like many of the new, sophisticated ransomware variants found in-the-wild today, Locker will search for and terminate itself if it is found to be running within a virtual machine (i.e. VMware, Virtual Box).

Additionally, it will terminate itself if it detects and of the following processes running, many of which are used by malware analysts:

wireshark, fiddler, netmon, procexp, processhacker, anvir, cain, nwinvestigatorpe, uninstalltool, regshot, installwatch, inctrl5, installspy, systracer, whatchanged, trackwinstall

Ransom

Locker initially demands a ransom of .1 bitcoins to an assigned bitcoin address.  After 72 hours of non-payment, this ransom amount increases to 1 bitcoin.  While running, Locker will make requests to blockchain.info to verify whether or not the victim has submitted a payment.

When queried, if blockchain.info returns data indicative that a full payment has been made, Locker will perform a second check against its C2 (command-and-control) server.

Locker’s command-and-control server is located at jmslfo4unv4qqdk3.onion.

If both requests return that a proper payment has been submitted, Locker will automatically download a file named priv.key, which it stores within the C:\ProgramData\rkcl folder on the targeted device.  This file, as can be inferred by its name, contains the private key that Locker will then use to decrypt all affected files.

The automated process of decryption rather than requiring the user to download an additional decryption utility is unique to this ransomware variant.

Additional Dropped Files

Additionally, a series of data files can be found dropped within the local file system of the affected device.  The following files are dropped during the installation process of the Locker ransomware:ransomware:

data.aa0    This file contains a list of the encrypted files
data.aa1    This file’s purpose is currently unknown
data.aa6    This file contains the victim’s unique bitcoin address
data.aa7    This file contains an RSA key; however, this is not the decryption key
data.aa8    This file contains a [random] version number for the Locker GUI
data.aa9    This file contains the date that Locker became active
data.aa11   This file’s purpose is currently unknown
data.aa12   This file’s purpose is currently unknown
priv.key    This file contains the victim’s unique decryption key
This file is only downloaded after full payment is made and verified

More Unique Characteristics

While Locker’s delivery and decryption mechanisms are unique in themselves, activity and files that were found in affected file systems reveal more information.  If an affected victim finds the following directory on their local file system reveal more information.  If an affected victim finds the following directory on their local file system:

If an affected victim finds the following directory on their local file system reveal more information.  If an affected victim finds the following directory on their local file system:

C:\ProgramData\Digger

This indicates that the victim’s device was being used as a bitcoin miner by the attacker prior to the Locker ransomware becoming active.  The affected devices have potentially been affected and involved in nefarious activity for an unknown period of time, often for months prior to the ransomware becoming active.

Associated Locker Files, Trojan Downloader File Hashes

At the time, as previously stated, Locker is only known to have been spread via a cracked version of Minecraft; reportedly the “Team Extreme” version of the cracked software.  There are two (2) known Trojan Downloader executable files that have been analyzed and confirmed as malicious at this time.  They are:

MinecraftChecksumValidatorLower.exe
 MD5 Hash:     87c4cff97cafa6c78b7b41c9033c8bc2
 SHA-1 Hash:   55b3db2dbb0502fa5a85330ec5ffb3b9e18846cf
 SHA-256 Hash: 8ff8631c54a4a38d2d433b15fcca48ec242ddd426183d2b6f3f40cca304ccb9a
MinecraftChecksumValidator.exe
MD5 Hash:        dbd136e27b9fdfc1e656ef2e2d96dd30
SHA-1 Hash:      bba94a12497703627093d2b2f5572f39d9962d0c
SHA-256 Hash:    c8b31a92d2ab8bb163cfb66b7d461acd7941c5c17314220ecdee6abdcd005a8e

However, it is believed that this is not the sole infection vector; no further methods of infection can be confirmed at this time.

Associated Locker Ransomware Files

C:\ProgramData\-
C:\ProgramData\Digger\
C:\ProgramData\Tor\
C:\ProgramData\Steg\steg.exe
C:\ProgramData\rkcl\ldr.exe
C:\ProgramData\rkcl\rkcl.exe
C:\ProgramData\rkcl\data.aa0
C:\ProgramData\rkcl\data.aa1
C:\ProgramData\rkcl\data.aa6
C:\ProgramData\rkcl\data.aa7
C:\ProgramData\rkcl\data.aa8
C:\ProgramData\rkcl\data.aa9
C:\ProgramData\rkcl\data.aa11
C:\ProgramData\rkcl\data.aa12
C:\ProgramData\rkcl\priv.key
C:\Users\User\AppData\Local\Temp\dd_svo_decompression_log.txt
C:\Users\User\AppData\Local\Temp\Microsoft .NET Framework 4 Setup_20150527_215736110.html
C:\Users\User\AppData\Local\Temp\svo
C:\Users\User\AppData\Local\Temp\svo.1
C:\Users\User\AppData\Local\Temp\svo.2
C:\Users\User\AppData\Local\Temp\svo.3
C:\Users\User\AppData\Local\Temp\svo.4
C:\Windows\SysWOW64\<random>.exe
C:\Windows\SysWOW64\.dll
C:\Windows\SysWOW64\<random>.bin
C:\Windows\System32\InstallUtil.InstallLog
C:\Windows\System32\<random>.bin
Associated Locker Registry Entries
HKLM\SOFTWARE\Classes\HKEY_CLASSES_ROOT
HKLM\SOFTWARE\Classes\HKEY_CLASSES_ROOT\CLSID
HKLM\SOFTWARE\Classes\HKEY_CLASSES_ROOT\CLSID\{e1b9f27e-0ff0-b171-e8b9-61828f8a2cef}
HKLM\SOFTWARE\Classes\HKEY_CLASSES_ROOT\CLSID\{e1b9f27e-0ff0-b171-e8b9-61828f8a2cef}\               <random>
HKLM\SOFTWARE\Classes\HKEY_CLASSES_ROOT\CLSID\{e1b9f27e-0ff0-b171-e8b9-61828f8a2cef}\InprocServer32
HKLM\SOFTWARE\Classes\HKEY_CLASSES_ROOT\CLSID\{e1b9f27e-0ff0-b171-e8b9-61828f8a2cef}\InprocServer32\               C:\Windows\System32\.dll
HKLM\SYSTEM\CurrentControlSet\services\<random>
HKLM\SYSTEM\CurrentControlSet\services\<random>\Type   16
HKLM\SYSTEM\CurrentControlSet\services\<random>\Start   2
HKLM\SYSTEM\CurrentControlSet\services\\ErrorControl   1
HKLM\SYSTEM\CurrentControlSet\services\\ImagePath "C:\Windows\SysWOW64\.exe"
HKLM\SYSTEM\CurrentControlSet\services\\DisplayName 
HKLM\SYSTEM\CurrentControlSet\services\\ObjectName   LocalSystem

HKLM\SYSTEM\CurrentControlSet\services\<random>\Description

Experience (qWave) is a networking platform for Audio Video (AV) streaming applications on IP home networks. qWave enhances AV streaming performance and reliability by ensuring network quality-of-service (QoS) for AV applications.

It provides mechanisms for admission control, run time monitoring and enforcement, application feedback, and traffic prioritization.KLM\SYSTEM\CurrentControlSet\services\\DelayedAutostart

Locker Screenshots

Locker GUI Informational Tab / Initially Presented Ransom Information

locker

Locker GUI Payment Information Tab

locker payment

 

Locker Sample Timeline

Below details a timeline of the associated services and the overall progression of the Locker ransomware and its Trojan Downloader’s activities.

This timeline was constructed after analysis of a device that was newly-purchased and configured on the 19 May of this year, 2015, but unfortunately was also a victim of the Locker ransomware.  The affected user also installed the cracked version of the “Team Extreme” Minecraft.

Trojan Downloader Installed as a service on 05/20/2015 11:04:27 AM

Service Name: Bony Pony Icier
Service File Name: "C:\Windows\SysWOW64\fastcreekrags.exe"
Service Type: user mode service
Service Start Type: auto
Service Account: LocalSystem

fastcreekrags.exe began running on 05/20/2015 11:04:30 AM

fastcreekrags.exe terminated unexpectedly on 05/20/2015 11:09:06 AM

fastcreekrags.exe began running on 05/20/2015 11:09:10 AM

Steg.exe installed as a service on 05/20/2015 11:09:52 AM

Service Name: stegsteg

Service File Name: C:\ProgramData\steg\steg.exe

Service Start Type: auto start

Service Account: LocalSystem

Steg service running / stopped on 05/20/2015

Started at 11:09:55 AM

Stopped at 16:28:33 PM

fastcreekrags.exe stopped running on 05/20/2015 16:28:33 PM

Steg service running / stopped on 05/21/2015

Started at 07:13:17 AM

fastcreekrags.exe began running at 07:13:20 AM

Stopped at 09:07:43 AM

fastcreekrags.exe stopped running at 09:07:43 AM

Started at 11:10:46 AM

fastcreekrags.exe began running at 11:10:49 AM

Stopped at 16:23:23 AM

fastcreekrags.exe stopped running at 16:23:23 PM

Steg service running / stopped on 05/22/2015

 

Started at 07:12:21 AM

fastcreekrags.exe began running at 07:12:23 AM

Stopped at 07:13:29 AM

fastcreekrags.exe stopped running at 07:13:29 AM

Started at 07:14:17 AM

fastcreekrags.exe began running at 07:14:19 AM

fastcreekrags.exe terminated unexpectedly at 17:14:59 PM

Stopped at 17:37:55 PM

Started at 18:39:27 PM

Started again at 19:51:20 PM

Steg service running / stopped on 05/23/2015

Stopped at 18:59:01 PM

Steg service running / stopped on 05/24/2015

Started at 03:36:22 AM

Stopped at 12:39:15 PM

Steg service running / stopped on 05/25/2015

Started at 05:47:42 AM

Stopped at 05:57:10 AM

ldr.exe installed as a service on 05/25/2015 05:48:08 AM

Service Name: ldr

Service File Name: C:\ProgramData\rkcl\ldr.exe

Service Type: user mode service

Service Start Type: auto start

Service Account: LocalSystem

ldr.exe enters the “stopped state” on 05/25/2015 at 05:48:10 AM05:57:42 AM, and 08:54:11 AM

Special Thanks

Special thanks to the team at BleepingComputer.com for the fast analysis and contribution of information regarding this infection; specifically, Lawrence Abrams and Nathan Scott.  Additionally, granular analysis and detailed information were largely contributed by: Fabian Wosar of Emsisoft and Mark and Erik Loman of SurfRight.

Prevention Methods

Host-Based Intrusion Prevention Software (HIPS) such as McAfee HIPS, HitmanPro: Alert, and other anti-exploit software.  Additionally, the configuration and creation of Windows’ native Software Restriction Policies can aid in the prevention of future infections carried out in a similar manner.

Tools such as CryptoPrevent by FoolishIT LLC (free and enterprise versions are both available) have also been created for the specific purpose of preventing ransomware from successfully infecting your device.

Sources

Bleeping Computer: http://www.bleepingcomputer.com/

About the Author Michael Fratello

Michael Fratello is a Security Engineer employed by CipherTechs, Inc., a privately held information security services provider located in downtown Manhattan, New York.  Specializing in Penetration Testing and Digital Forensics, Michael, a St. John’s University graduate majoring in Computer Security Systems, has developed a passion for information security and often spends his free time studying, programming, and researching the exponentially growing number of threats found in-the-wild today.

Edited by Pierluigi Paganini

(Security Affairs –  Locker, malware)



you might also like

leave a comment