First Bitcoin ransomware with chinese promptslocky

Antiy CERT



First Edition: 9:26, Feb.18, 2016

Pub Date: 14:04, Feb.19, 2016

Update: 14:04, Feb.19, 2016



1          Introduction


Antiy CERT found a new kind of ransomware named “Locky” that can encrypt more than 100 kinds of file types through RSA-2048 and AES-128 algorithm, meanwhile, release a ransomware prompt file named _Locky_recover_instructions. txt in every directory with encrypted files. Antiy CERT researchers found that it is a kind of ransomware that transmits by spam mail and is the first Bitcoin ransomware with Chinese prompts.

2          Sample analysis


2.1         Sample labels

Virus name Trojan/Win32.Locky.a
Original file name ladybi.exe
MD5 FB6CA1CD232151D667F6CD2484FEE8C8
Processor framework X86-32
File size 180 KB (184,320 byte)
File format BinExecute/Microsoft.EXE[:X86]
Timestamp 42B63E17->2005-06-20 11:55:03
Digital signature NO
Shell NO
Compiled language Microsoft Visual C++ 6.0
VT first update time 2016-02-16 10:53:39
VT detect result 41/55


2.2         Sample functions

This ransomware “Locky” racketeers users by kidnapping user data. It encrypts more than 100 kinds of file types through RSA-2048 and AES-128 algorithm and release a ransomware prompt file named _Locky_recover_instructions. txt in every directory with encrypted files.

“Locky”sample’s local behavior: copy itself to system temporary directory %Temp%, and rename as svchost; traverse the files in system, determine whether the file suffix is in the built-in sample list, if it is, encrypt the samples; create prompt file _Locky_recover_instructions.txt in many folders; create file _Locky_recover_instructions.bmp in desktop; And set this file as the desktop background and prompt users how to successfully restore the encrypted files; Add relevant registry keys; Delete system restore snapshot.

  • copy itself to exe in %Temp% directory and add startup.
  • The encrypted types are as follows:


.m4u .m3u .mid .wma .flv .3g2 .mkv .3gp .mp4 .mov .avi .asf .mpeg .vob .mpg .wmv .fla .swf .wav .mp3 .qcow2 .vdi .vmdk .vmx .gpg .aes .ARC .PAQ .tar.bz2 .tbk .bak .tar .tgz .gz .7z .rar .zip .djv .djvu .svg .bmp .png .gif .raw .cgm .jpeg .jpg .tif .tiff .NEF .psd .cmd .bat .sh .class .jar .java .rb .asp .cs .brd .sch .dch .dip .pl .vbs .vb .js .asm .pas .cpp .php .ldf .mdf .ibd .MYI .MYD .frm .odb .dbf .db .mdb .sql .SQLITEDB .SQLITE3 .asc .lay6 .lay  .ms11 .sldm .sldx .ppsm .ppsx .ppam .docb .mml .sxm .otg .odg .uop .potx .potm .pptx .pptm .std .sxd .pot .pps .sti .sxi .otp .odp .wb2 .123 .wks .wk1 .xltx .xltm .xlsx .xlsm .xlsb .slk .xlw .xlt .xlm .xlc .dif .stc .sxc .ots .ods .hwp .602 .dotm .dotx .docm .docx .DOT .3dm .max .3ds .xml .txt .CSV .uot .RTF .pdf .XLS .PPT .stw .sxw .ott .odt .DOC .pem .p12 .csr .crt .key
  • Do not encrypt files that contains path and file name that contain the following string:
tmp, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, Windows
  • “Locky” registers that added






HKCU\Control Panel\Desktop\Wallpaper        “%UserProfile%\Desktop\_Locky_recover_instructions.bmp”


  • Delete system restoring snapshot

Delete all Shadow Copies in whole disk through calling vssadmin.exe Delete Shadows /All /Quiet, and make infected system cannot restore by them.


  • Internet behavior:
  • Send part information of infected machine to C&C server.
  • Download RSA public key from C&C server to prepare for the encryption.
  • Upload the encrypted file list.
  • To obtain corresponding message according to system language from the server.

2.3         Related technique

2.3.1          Domain generation algorithm

“Locky” samples will use function rdtsc to obtain processor time firstly, make the value and some variables modulo operated, and determine whether the samples visits domains generated by algorithm, or directly accesses to the hard-coded IP address, which can make samples randomly to some extent.


Figure 1 Domain name generation algorithm

The generation of Domain name needs a random number which is conducted according to the date that machine got infected.


Figure 2 Random value calculation

2.3.2          C&C server

The victim host and server interact with HTTP Post request. The victim host visits main.php in C&C server. Parameters are as follows:

Parameters Meaning
id Randomly generated number
act C&C control server
affid VIP ID
lang Language used by computer
corp Unknown
serv Unknown
os Operating system
sp Fixpack
x64 Whether 64-bit system or not

All requests by victimized hosts are encrypted by hard-coded key in sample and sent to C&C server after encryption. The receive packets are encrypted in the same specific encryption and “Locky” will firstly decrypt operation after receiving encrypted data.

Part information about encrypted packet:


Figure 3 Content of packet

Encryption algorithm when sends packets:


Figure 4 Encryption algorithm

Decryption algorithm of samples when receiving data:


Figure 5 Decryption algorithm

2.3.3          Control command

There are four control commands at present, namely, stats, getkey, report, gettext.

Command Function
stats Send some basic information, such as the number of successfully encrypted files, number and length of files that fail to encrypt.
getkey RSA public key that used to download encryption from the server.
report Send encrypted file list to server.
gettext Obtain information that prompts user how to decrypt, C&C server will return the corresponding language prompt information according to computer language that sent back, such as: send back zh will return Chinese, send back en will return English.

The prompt is as follows:


Figure 6 Prompt content

3          Conclusion


Through the analysis of Antiy CERT, the function of ransomware “Locky” is basically identical as the function of ransomware that analyzed before [1]. Ransomware can bring huge benefits to attackers, because it uses Bitcoin to trade that is difficult to track. Once the users are infected by ransomware, they can only decrypt by payment or discard these files. Antiy CERT reminds mass users that even the payment cannot fully guarantee to completely restore the encrypted files. To prevent data being encrypted, defense of ransomware is essential and users should form good habit of Internet use and do not perform unknown documents.

The purpose of “Locky” is the same as other software, which asks users for money by encrypting user data. What is unlike to other ransomware, it is the first Bitcoin ransomware with a Chinese prompt, showing that targets of ransomware are expanding gradually and will develop more localized versions.

Antiy CERT predicts that China will be attacked more by similar ransomware in future. Therefore, how to defense ransomware becomes one of the important tasks to defend network security.

Appendix 1: References


[1] Uncover of real ransomware


Appendix 2: About Antiy


Starting from antivirus engine research and development team, Antiy now has developed into an advanced security product supplier with four research and development centers, nationwide detection and monitoring ability as well as products and services covering multiple countries. With a fifteen-year continual accumulation, Antiy has formed massive security knowledge and promoted advanced products and solutions against APT with integrated application of network detection, host defense, unknown threat identification, data analysis and security visual experiences. With the recognition of technical capacity by industry regulators, customers and partners, Antiy has consecutively awarded qualification of national security emergency support unit four times and one of the six of CNNVD first-level support units. Antiy detection engine for mobile is the first Chinese product that obtained the first AV – TEST (2013) annual awards and more than ten of the world’s famous security vendors choose Antiy as their detection partner.

More information about antivirus engine:


Appendix 3: log of document update


Update time Version  Content
2016-02-18 09:26 V1.0 Writing
2016-02-19 14:04 V1.1 Modification
yyyy-mm-dd 00:00
yyyy-mm-dd 00:00