Research Centre

[VB 2016] LOCKY STRIKE: Smoking the Locky Ransomware Code

This is an in depth take on the Locky Ransomware which was presented at VB 2016 in Denver.


In this paper, we will delve into the technical details of the Locky ransomware. We will focus on three technical aspects: its system behaviour, domain generation algorithm (DGA), and C&C communication.

Initially, we will talk about Locky's prevalence in the wild and how it behaves on landing on a PC. We will then look at its DGA details and how we are able to simulate it in an automated fashion for C&C domain harvesting.

The paper will also explore Locky's obfuscated C&C communications including its parameters, encryption and decryption. As a result of these findings, we will demonstrate how we successfully spoofed HTTP requests to the C&C servers to force it to respond with certain information, such as targeted countries.

The paper will conclude with some insights into Locky's operation and how these findings ultimately translate to actionable threat intelligence that can be used to protect users.

References