Friday 7 October 09:30 - 10:00, Green roomRoland Dela Paz (Fortinet)
Rommel Joven (Fortinet)
Floser Bacurio (Fortinet)In late January this year, an unknown TOR onion-based ransomware payment page surfaced. The new deep website didn't attract much attention; it was likely "just another" script kiddie trying to get into the ransomware business. However, the third week of February saw a massive ransomware campaign that landed on at least 90,000 PCs per day [1] around the world — one that pointed users to the exact same TOR onion site in order to pay a ransom. The ransomware's name was "Locky".At that point, not only did it become apparent that Locky is the work of experienced cybercriminals, but it was also clear that Locky is a major ransomware threat that end-users and enterprises are now facing. In fact, Locky's early variants show attributes that lead us to believe it will become a prominent ransomware family alongside CryptoWall and TeslaCrypt.In this paper, we will delve into the technical details of the Locky ransomware. We will focus on three technical aspects: its system behaviour, domain generation algorithm (DGA), and C&C communication.Initially, we will talk about Locky's prevalence in the wild and how it behaves on landing on a PC. We will then look at its DGA details and how we are able to simulate it in an automated fashion for C&C domain harvesting.The paper will also explore Locky's obfuscated C&C communications including its parameters, encryption and decryption. As a result of these findings, we will demonstrate how we successfully spoofed HTTP requests to the C&C servers to force it to respond with certain information, such as targeted countries.The paper will conclude with some insights into Locky's operation and how these findings ultimately translate to actionable threat intelligence that can be used to protect users.[1] http://www.forbes.com/sites/thomasbrewster/2016/02/18/ransomware-hollywood-payment-locky-menace/#48414f3975b0