As one of the top 3 ransomware threats currently in circulation, Locky has undergone several updates since the beginning of the year which have made it more capable of encrypting files. The latest update apparently allows it to alter files and lock them down – even when your computer is offline. How can it do this? The latest strain has a program upgrade or fallback mechanism that allows it to lock-down the cyber target’s files anyway, without a requested unique encryption key from its Command and Control (C&C) server.
This had apparently been a problem for the Russian “Cyber Mafia” ransomware hackers, who found that in many cases the malware became dead in the water when cut off from its C&C server by firewalls. And, by all accounts, the “new and improved” Locky can begin the encryption and lock-down process of a PC’s entire database within 1 to 2 minutes, thanks to now being able to bypass firewalls that normally would block the malware’s outgoing communications to the “mothership” (server) to get the aforementioned unique encryption key.
How It Works
In order to successfully lock down and encrypt files, Locky requires unique-for-each-infection public-private encryption key pairs generated by the C&C server. Here’s how the related sequence of events in the encryption routine goes down:
- Locky generates a local encryption key that uses an AES, or Advanced Encryption Standard algorithm to encrypt files with selected extensions.
- It then communicates with a C&C server, asking it to generate an RSA key pair for the now-infected system.
- The public key is then sent back to the infected computer or device and used to encrypt the AES key from step 1. The private key, which is required to decrypt what the public key encrypted, remains on the C&C server and is the one you get when you pay the ransom in lieu of decrypting your files.
The Upside and Downside
Organizations that have network cutoff cyber defenses as damage control will be lucky if their IT network has fast response time, isolating the file encryption to only one computer. But those that aren’t fast on the draw will end up getting large parts – if not their entire IT network – infected with the Locky ransomware virus being distributed via aggressive spam and phishing campaigns right now. The upside? If you actually do pay the ransom and get the private key, that key will work to decrypt files on other networks and terminals if they are of the same Locky configuration, which means you have a free decryptor tool for any PCs or networks that become future victims of that strain. It also means that we could see a public free decryptor tool through open source means in the near future as well.