![Page 1: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/1.jpg)
1 October 7, 2016
Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard Lion Team
![Page 2: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/2.jpg)
2
Cryptowall
![Page 3: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/3.jpg)
3
This one?
![Page 4: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/4.jpg)
4
Prevalence:Globalransomware
0.00% 5.00%
10.00% 15.00% 20.00% 25.00% 30.00% 35.00% 40.00% 45.00% 50.00%
CryptoWall Locky Cerber TorrentLocker CryptXXX Series1 45.53% 45.13% 8.93% 0.35% 0.06%
Global Ransomware IPS Hits - February 19 to September 15 2016
![Page 5: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/5.jpg)
5
Prevalence:Topcountries
US 11,858,085FR 6,959,892JP 3,071,596KW 2,732,454TW 1,338,216AR 970,339CL 890,784PR 709,372IT 556,602IL 540,992
LockyRansomwareIPSHits–February19toSeptember152016TotalHits:36,314,789
Locky-est
![Page 6: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/6.jpg)
6
Prevalence:Affiliateprogram
The following is a list of affiliate methods that have been observed: affid Method
1 Spam email containing an attached JavaScript, MS Office Macro downloader or Windows Script File
3 Spam email containing an attached JavaScript or Microsoft Office Macro downloader
5 Spam email containing an attached JavaScript downloader13 Compromised sites that redirects to Nuclear or Neutrino Exploit Kit
15 Spam email containing an attached JavaScript or HTA downloader
![Page 7: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/7.jpg)
7
Locky Developments
![Page 8: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/8.jpg)
8
TimelineofDevelopments:2016
![Page 9: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/9.jpg)
9
TimelineofDevelopments:2016
Ø No packer Ø “Locky” registry key Ø Configuration:
{ AffiliateID; ccservers; }
![Page 10: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/10.jpg)
10
TimelineofDevelopments:2016
Ø Packed Ø Registry key based on VolumeGUID Ø Configuration(encrypted):
{ AffiliateID; DGASeed; delaySeconds; FakeSvchost; Persistence; IgnoreRussian; ccServers; }
![Page 11: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/11.jpg)
11
TimelineofDevelopments:2016
Ø Encrypted HTTP communication Ø Configuration:
{ AffiliateID; DGASeed; delaySeconds; FakeSvchost; Persistence; IgnoreRussian; urlPath; ccServers; }
![Page 12: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/12.jpg)
12
TimelineofDevelopments:2016
Ø New URI used Ø Encrypted HTTP POST data is now
encoded using percent encoding
![Page 13: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/13.jpg)
13
TimelineofDevelopments:2016
Ø Requires argument. (e.g “123”, “321”)
![Page 14: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/14.jpg)
14
TimelineofDevelopments:2016
![Page 15: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/15.jpg)
15
TimelineofDevelopments:2016
Ø Offline Mode encryption
![Page 16: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/16.jpg)
16
TimelineofDevelopments:2016
![Page 17: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/17.jpg)
17
TimelineofDevelopments:2016
![Page 18: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/18.jpg)
18
Technical Analysis
![Page 19: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/19.jpg)
19
ConfiguraBon
AffiliateIDDGASeed
Delay(Sleep)
Dropsvchost.exe:01Skip:00
Autorun:01Skip:00CheckRU:01Skip:00
C&Coffset
![Page 20: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/20.jpg)
20
ConfiguraBon
URIforitsC&C• main.php • submit.php • userinfo.php • access.cgi
C&Cs• /upload/_dispatch.php • /php/upload.php • /data/info.php • /apache_handler.php
![Page 21: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/21.jpg)
21
ConfiguraBon
![Page 22: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/22.jpg)
22
ConfiguraBon:Offline
Onlinemode
OfflinemodeOfflinemodeNoDGASeed NoC&Coffset
NoC&CsandURI
![Page 23: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/23.jpg)
23
ConfiguraBon:Offline
Offlinemode
EmbeddedPublicRSAkey
![Page 24: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/24.jpg)
24
ConfiguraBon:Offline
EmbeddedRansomText
EmbeddedHTMLRansomText
![Page 25: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/25.jpg)
25
VicBmID:Online
Lockycreatesavic\mIDthatneedstoiden\fyuniquesystems.Thevic\mIDiscreatedfromthefollowinginforma\on:• VolumeGUIDoftheWindowsDirectory• MD5hashoftheGUIDvalue
e.g.vicBm_ID=4DF383039AB03953
![Page 26: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/26.jpg)
26
VicBmID:Offline
Thevic\mIDiscreatedfromthefollowinginforma\on:• GUIDoftheWindowsDirectory• DefaultUILanguage• OSversion• DomainController• AffiliateIDfromtheconfigura\on• PublickeyIDfromtheconfigura\onEncodesitusingahardcoded32charactervalue:“YBNDRFG8EJKMCPQX0T1UWISZA345H769”.e.g.vicBm_ID=IZ8FDGTNEN85I7JZ
![Page 27: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/27.jpg)
27
C&C Communication
![Page 28: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/28.jpg)
28
CommunicaBonProtocol:C&C
Connect to Hardcoded IP
Start Http POST
Request
Use DGA to connect to C&C
YES NO
![Page 29: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/29.jpg)
29
CommunicaBonProtocol:Data Format:Key=value;Uses&asitsdelimiter
id=4DF383039AB03953&act=getkey&affid=5&lang=en&corp=0=&serv=0&os=Windows+XP&sp=3&x64=0
![Page 30: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/30.jpg)
30
CommunicaBonProtocol:Data Format:Key=value;Uses&asitsdelimiter
id=4DF383039AB03953&act=getkey&affid=5&lang=en&corp=0=&serv=0&os=Windows+XP&sp=3&x64=0
Victim ID
getkey gettext gethtml stats
Affiliate ID
Language
0: not member or a domain 1: member of a domain 2: primary domain controller
0: not server 1: server
Operating System
ServicePack
Architecture 0: x86 1: x64
![Page 31: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/31.jpg)
31
CommunicaBonProtocol:HWprequest
Victim C&C
![Page 32: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/32.jpg)
32
File Encryption
![Page 33: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/33.jpg)
33
FileEncrypBon:Targeteddrives
• Drive_Removable• Drive_Fixed• Drive_Remote• Drive_Ramdisk
![Page 34: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/34.jpg)
34
FileEncrypBon:Targetedextensions
Totalof194fileextensions:.n64, .m4a, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .qcow2, .vdi, .vmdk, .vmx, .wallet, .upk, .sav, .re4, .ltx, .litesql, .litemod, .lbf, .iwi, .forge, .das, .d3dbsp, .bsa, .bik, .asset, .apk, .gpg, .aes, .ARC, .PAQ, .tar, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .sh, .class, .jar, .java, .rb, .asp, .cs, .brd, .sch, .dch, .dip, .pl, .vbs, .vb, .js, .h, .asm, .pas, .cpp, .c, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .db, .mdb, .sql, .SQLITEDB, .SQLITE3, .011, .010, .009, .008, .007, .006, .005, .004, .003, .002, .001, .pst, .onetoc2, .asc, .lay6, .lay, .ms11(Securitycopy), .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wb2, .123, .wks, .wk1, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .602, .dotm, .dotx, .docm, .docx, .DOT, .3dm, .max, .3ds, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .p12, .csr, .crt, .key, wallet.dat
![Page 35: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/35.jpg)
35
FileEncrypBon:Targetedextensions
From194to460fileextensions:.yuv, .qbx, .ndd, .exf, .cdr4, .vmsd, .dat, .indd, .pspimage, .obj, .ycbcra, .qbw, .mrw, .erf, .cdr3, .vhdx, .cmt, .iif, .ps, .mlb, .xis, .qbr, .moneywell, .erbsql, .bpw, .vhd, .bin, .fpx, .pct, .md, .x3f, .qba, .mny, .eml, .bgt, .vbox, .aiff, .fff, .pcd, .mbx, .x11, .py, .mmw, .dxg, .bdb, .stm, .xlk, .fdb, .m4v, .lit, .wpd, .psafe3, .mfw, .drf, .bay, .st7, .wad, .dtd, .m, .laccdb, .tex, .plc, .mef, .dng, .bank, .rvt, .tlg, .design, .fxg, .kwm, .sxg, .plus_muhd, .mdc, .dgc, .backupdb, .qcow, .st6, .ddd, .flac, .idx, .stx, .pdd, .lua, .des, .backup, .qed, .st4, .dcr, .eps, .html, .st8, .p7c, .kpdx, .der, .back, .pif, .say, .dac, .dxb, .flf, .st5, .p7b, .kdc, .ddrw, .awg, .pdb, .sas7bdat, .cr2, .drw, .dxf, .srw, .oth, .kdbx, .ddoc, .apj, .pab, .qbm, .cdx, .db3, .dwg, .srf, .orf, .kc2, .dcs, .ait, .ost, .qbb, .cdf, .cpi, .dds, .sr2, .odm, .jpe, .dc2, .agdl, .ogg, .ptx, .blend, .cls, .css, .sqlite, .odf, .incpas, .db_journal, .ads, .nvram, .pfx, .bkp, .cdr, .config, .sdf, .nyf, .iiq, .csl, .adb, .ndf, .pef, .al, .arw, .cfg, .sda, .nxl, .ibz, .csh, .acr, .m4p, .pat, .adp, .ai, .cer, .sd0, .nx2, .ibank, .crw, .ach, .m2ts, .oil, .act, .aac, .asx, .s3db, .nwb, .hbk, .craw, .accdt, .log, .odc, .xlr, .thm, .aspx, .rwz, .ns4, .gry, .cib, .accdr, .hpp, .nsh, .xlam, .srt, .aoi, .rwl, .ns3, .grey, .ce2, .accde, .hdd, .nsg, .xla, .save, .accdb, .rdb, .ns2, .gray, .ce1, .ab4, .groups, .nsf, .wps, .safe, .7zip, .rat, .nrw, .fhd, .cdrw, .3pr, .flvv, .nsd, .tga, .rm, .1cd, .raf, .nop, .fh, .cdr6, .3fr, .edb, .nd, .rw2, .pwm, .wab, .qby, .nk2, .ffd, .cdr5, .vmxf, .dit, .mos, .r3d, .pages, .prf, .oab, .msg, .mapimail, .jnt, .dbx, .contact
![Page 36: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/36.jpg)
36
FileEncrypBon:Algorithm
Encryp\onused:• UsesbothRSAandAESalgorithms• TheAES-128keyisrandomlygeneratedforeachfile• TheAES-128keyisusedtoencryptthefileandit’sfilename• Aherencryp\on,theAES-128keywillbeencryptedbyRSA-2048
![Page 37: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/37.jpg)
37
FileEncrypBon:Filename
Formatoffilenamesofencryptedfiles.4DF383039AB03953D81660EB4CADC28D.locky
Vic\mID FileID
![Page 38: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/38.jpg)
38
FileEncrypBon:Filename
Formatoffilenamesofencryptedfiles.4DF383039AB03953D81660EB4CADC28D.locky0X3U7IYC-IA09-CQ94-D26F-CFA67B8E895D.zepto
Vic\mID
Vic\mID
FileID
FileID
![Page 39: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/39.jpg)
39
FileEncrypBon:Filename
Formatoffilenamesofencryptedfiles.4DF383039AB03953D81660EB4CADC28D.locky0X3U7IYC-IA09-CQ94-D26F-CFA67B8E895D.zepto0X3U7IYC-IA09-CQ94-D26F-CFA67B8E895D.odin
Vic\mID
Vic\mID
FileID
FileID
Vic\mID FileID
![Page 40: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/40.jpg)
40
FileEncrypBon:Filelayout
Encrypted AES Key EncryptedFile
Encryption
![Page 41: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/41.jpg)
41
FileEncrypBon:Filelayout
EncryptedData*Encryp\onused:
AES-128HardcodedValue
Vic\mID&FileIDEncryptedAESKey*Encryp\onused:
RSA-2048
EncryptedFilename*Encryp\onused:
AES-128
![Page 42: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/42.jpg)
42
HTMLRansomNote
![Page 43: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/43.jpg)
43
DecryptorPage
![Page 44: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/44.jpg)
44
Harvest Locky Configuration
![Page 45: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/45.jpg)
45
AutomateConfiguraBonExtracBon:Overview
![Page 46: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/46.jpg)
46
CuckooSetup
NO
YES
YES NO
![Page 47: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/47.jpg)
47
Demo:LockyConfigExtracBoninCuckooSandbox
![Page 48: Locky Strike: Smoking the Locky Ransomware Code · 1 October 7, 2016 Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard](https://reader030.vdocument.in/reader030/viewer/2022041208/5d667d3b88c993516d8bb18b/html5/thumbnails/48.jpg)
48
Takeaways