The Russian Cyber Mafia behind Dridex and Locky ransomware have added a fallback mechanism in the latest strain of their malware created for situations where their code can’t reach its Command & Control server.
Researchers from antivirus vendor Avira blogged about this version which starts encrypting files even when it cannot request a unique encryption key from the C&C server because the computer is offline or a firewall blocks outgoing communications.
Calling the mothership is normally required for ransomware that uses public key cryptography. And actually, if the code is unable to call home to a C&C server after they infect a new machine, most ransomware does not start the encryption process and is dead in the water.
Why? The encryption routine needs unique public-private key pairs that are generated by the C&C server for each infection. How does this work? Here is a simplified sequence of events.
- The ransomware program generates a local encryption key and uses an algorithm like AES (Advanced Encryption Standard) to encrypt files with certain extensions.
- It reaches out to a C&C server and asks that machine to generate an RSA key pair for the newly infected system.
- The public key of that pair is sent back to the infected machine and used to encrypt the AES encryption key from step 1. The private key, (needed to decrypt what the public key encrypted), stays on the C&C server and is the key that you get when you pay the ransom and is used for decryption.
As you see, a lot of ransomware strains are useless if a firewall detects their attempt to call home and blocks it as suspicious. There is another scenario however…
As damage control, organizations also cut off a computer from the network the moment a ransomware infection is detected. They might even take the whole network offline until they can investigate if other systems have also been infected.
The silver lining? If someone pays the ransom and gets the private key, that key will work for all other offline victims as well, so expect a free decryptor to become available in the near future.
F-Secure researchers reported on two massive phishing campaigns distributing Locky this week, one of them reaching 120,000 hits per hour, more than 200 times higher than the spam hits on a regular day, they said in a blog post. Both campaigns have malicious zip attachments which contain JavaScript files, which files can be executed on Windows out of the box, without any additional software.