Peter G (sinetimore) wrote,
Peter G

Under Locky's Key

A macro can hijack your computer?  What, the last 20 years of computer security never happened?

Okay, there's a new ransomware going around, that takes advantage of the fact that macros have access to every nook and cranny on a Windows machine (IN 2016?!?) and the casualness of people with email attachments.  Yes, I know, we're all careful and yada yada yada.  But this thing is spreading too fast -- an estimated 4,000 infentions an hour, 100,000 per day, and 400,000 sessions in the two days since it appeared in the wild.  The people behind Locky are clearing aiming for a massive deployment and they are well on their way.  People aren't paying attention, and they need to.

This particular randomware is called Locky.  Some people theorize that the crew behind it is also responsible for Dridex, but that could simply be reverse engineering and following a model that works.  Anyway, what happens is this -- the user will get some sort of email through Office 365 or Outlook claiming to be an invoice (businesses are obviously the most likely to fall for this) with an attached invoice document.  The text of the email is as follows:

"Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice.

"Let us know if you have any questions.

"We greatly appreciate your business!"

Now, here's where people need to pay attention.  M$ ships its software with marcos automatically disabled precisely because of things like this.  So the user has to be tricked into running it.  The document gets downloaded and the user tries to open it.  If macros are already enabled, it's Game Over.  If they aren't (and this is the part that is actually pretty clever), the top of the document advises that, if the message is gibberish (which it is), enable macros to view it properly.

PRO-TIP:  macros have no effect whatsoever on text encoding.  If you see a random pile of letters and numbers, running a macro won't fix it.  BE AUTOMATICALLY SUSPICIOUS OF ANYTHING THAT ADVISES YOU TO RUN MACROS TO VIEW IT PROPERLY.

This executes the macro, embedded as DocDl-BCF, which saves file Ransom-CGX to disk and runs it.  This is the downloader for the final payload, Ransom-CGW.  It connects to the C&C and creates a key exchange in memory prior to encryption (this means the key itself is unencrypted, which could help people locate and isolate the C&C networks, but that'll probably be changed before too long).  It then begins encrypting files using RSA-2048 and AES-1024 algorithms, making them practically impossible to crack.

Now, if you are casual enough to enable macros just because a suspicious document told you to, you are casual enough that Locky is going to inflict more damage than you ever considered.  First, the list of files this thing encrypts is astonishing.  Nothing is safe, even .mp3's and .pdf's and .mid files.  It will even encrypt your Bitcoin wallet if you have one there, taking the funds hostage.  But wait, there's more!  Anything your user account has access to is hit.  This means that, if you are running with mod privileges (as most people simply do), everything including other user accounts will be hit.  ANY MOUNTED DRIVE WILL BE HIT, FROM A USB DRIVE TO A NETWORK.  So your server could be running OS X or my precious Linux, and as long as you are cleared for access, those files will be encrypted, too.  But wait, there's more!  If you are casual enough to just enable macros and run as superuser, that also means you aren't really backing up your computer, you are relying on M$' Volume Sanpshot Service (VSS).  These are live backup snapshots, also known as shadow copies, that run in the background so you don't have to interrupt what you are doing to make a proper backup -- no logging out or closing apps.  Well, Locky deletes every last one of these things, so if you have never made a proper backup, you are hosed.

And that is when your wallpaper is replaced with this little message:

All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:
1. hxxp://
2. hxxp://
3. hxxp://
4. hxxp://
If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser: hxxps://
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: 6dtxxxxm4crv6rr6.onion/07Bxxx75DC646805
4. Follow the instructions on the site.
!!! Your personal identification ID: 07Bxxx75DC646805 !!!"

You might be able to enter Safe Mode and restore from a network connection, but that's not guaranteed.  No matter what, unless you have a recent backup, you're nailed.

Attacks like these can be mitigated against by running under a restricted account and such.  But the first line of defense is, keep those macros turned off.

And spread the word.

We must look out for each other.
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded