- Feb 4, 2016
- 549
- Content source
- http://blog.avira.com/locky-ransomware-lockdown/
Locky communication with its victims is now encrypted, giving the ransomware more secrecy and control over its operations.
Locky ransomware has shifted into an encrypted lockdown mode and is now protecting the network communication between victims and the command & control servers with public key encryption.
The changeover gives Locky workings greater secrecy and gives the overlords distributing the ransomware tighter control over their network infrastructure and restricts researchers’ ability to eavesdrop on botnet activities.
“The addition of the public key encryption of the network communication throws a wrench in the ability of outsiders to track or even influence Locky activities,” said Moritz Kroll, malware researcher at Avira. “You now have to have the RSA private key – the other half of this equation – to tap into the network. And the Locky developers are clearly keeping this to themselves.”
Locky has always sent a specific public key to each victim as part of the file encryption process. Now it’s also using an RSA public key, which is provided with the sample, to encrypt the keys for C&C communication. The new development has Locky sending out one binary blob with an AES-CTR encrypted connection string as well as one RSA encrypted block with two keys and a HMAC-SHA1 hash.
“The private RSA key is needed to extract the request and response keys which then sets off one more decryption of the request message and one hash verification. If you don’t have this RSA key, it is neither possible to understand the request nor to create a response that the Locky Trojan can decrypt and understand,” explained Kroll.
Full article : Locky ransomware goes into lockdown mode - Avira Blog
Locky ransomware has shifted into an encrypted lockdown mode and is now protecting the network communication between victims and the command & control servers with public key encryption.
The changeover gives Locky workings greater secrecy and gives the overlords distributing the ransomware tighter control over their network infrastructure and restricts researchers’ ability to eavesdrop on botnet activities.
“The addition of the public key encryption of the network communication throws a wrench in the ability of outsiders to track or even influence Locky activities,” said Moritz Kroll, malware researcher at Avira. “You now have to have the RSA private key – the other half of this equation – to tap into the network. And the Locky developers are clearly keeping this to themselves.”
Locky has always sent a specific public key to each victim as part of the file encryption process. Now it’s also using an RSA public key, which is provided with the sample, to encrypt the keys for C&C communication. The new development has Locky sending out one binary blob with an AES-CTR encrypted connection string as well as one RSA encrypted block with two keys and a HMAC-SHA1 hash.
“The private RSA key is needed to extract the request and response keys which then sets off one more decryption of the request message and one hash verification. If you don’t have this RSA key, it is neither possible to understand the request nor to create a response that the Locky Trojan can decrypt and understand,” explained Kroll.
Full article : Locky ransomware goes into lockdown mode - Avira Blog
