Locky Ransomware Encrypts Files Even When Machine Is Offline

Locky Ransomware Encrypts Files Offline

Locky is currently one of the top 3 ransomware threats, following closely behind CryptoWall. It's not surprising that this strain has undergone several updates since the beginning of the year, the most recent being discovered on July 12.

The Russian Cyber Mafia behind Dridex and Locky ransomware have added a fallback mechanism in the latest strain of their malware created for situations where their code can't reach its Command & Control server.

Researchers from antivirus vendor Avira blogged about this version which starts encrypting files even when it cannot request a unique encryption key from the C&C server because the computer is offline or a firewall blocks outgoing communications. 

Calling the mothership is normally required for ransomware that uses public key cryptography. And actually, if the code is unable to call home to a C&C server after they infect a new machine, most ransomware does not start the encryption process and is dead in the water.

Why? The encryption routine needs unique public-private key pairs that are generated by the C&C server for each infection. How does this work? Here is a simplified sequence of events.

  1. The ransomware program generates a local encryption key and uses an algorithm like AES (Advanced Encryption Standard) to encrypt files with certain extensions.
  2. It reaches out to a C&C server and asks that machine to generate an RSA key pair for the newly infected system.
  3. The public key of that pair is sent back to the infected machine and used to encrypt the AES encryption key from step 1. The private key, (needed to decrypt what the public key encrypted), stays on the C&C server and is the key that you get when you pay the ransom and is used for decryption. 

As you see, a lot of ransomware strains are useless if a firewall detects their attempt to call home and blocks it as suspicious. There is another scenario however...

As damage control, organizations also cut off a computer from the network the moment a ransomware infection is detected. They might even take the whole network offline until they can investigate if other systems have also been infected. 

The silver lining? If someone pays the ransom and gets the private key, that key will work for all other offline victims of the same Locky configuration as well, so expect a free decryptor to become available in the near future. 

F-Secure researchers reported on two massive phishing campaigns distributing Locky this week, one of them reaching 120,000 hits per hour, more than 200 times higher than the spam hits on a regular day, they said in a blog post. Both campaigns have malicious zip attachments which contain JavaScript files, which files can be executed on Windows out of the box, without any additional software.


Here is the blog post with the list of 11 things you can do to block ransomware

Find out which of your users' email addresses are exposed before the bad guys do.

The Email Exposure Check is a one-time free service. We will email you back a report containing the list of exposed addresses and where we found them within 2 business days, or sooner! This shows you your phishing attack surface which the bad guys will use to try to social engineer your users into opening an attachment infected with ransomware.

Send Me My Report

Don't like to click on redirected buttons? Cut & Paste this link in your browser instead:



Topics: Ransomware

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews