The latest configurations of Locky ransomware have an improved Autopilot functionality that completely cuts out network communication and let it encrypt victim files without directions from its Command and Control centers.
“With this step, they don’t have to play the cat and mouse game anymore, setting up new servers all the time before all of them are blacklisted or taken down,” said Moritz Kroll, malware specialist in the Avira Protection Labs.
The changes enable Locky malware developers to operate in a stealth mode more hidden from security researchers and reduces their infrastructure support costs. Previously, the Locky configuration contained some Command and Control (CnC) URLs as well as a parameter for a domain generation algorithm (DGA) to create additional CnC URLs.
“This is a fine-tuning of the bad guy’s ‘off-line’ infection mode. By minimizing their code’s online activities, they don’t have to pay for so many servers and domains anymore,” said Moritz Kroll, malware specialist in the Avira Protection Labs. “but they also aren’t getting ‘nice’ infection statistics about their work anymore.”
DGAs are usually time-dependent formulas for creating a large number of domain names that malware can use for hooking up with its CnC masters. While potentially producing a cloud of misinformation, this activity also generates a visible flurry of network activity at the DGA domains which have been sinkholed by security researchers.
“While DGAs can be used to create a large number of domain names, Locky has used just 12 domains every two days,” explained Kroll. “The changes are a mix of cost optimization and leaving fewer leads for law enforcement to follow.”
For payment, the configuration still contains URLs pointing to the malware authors’ hidden service inside the Tor network. “While the bad guys at some level still have to pay for the spam and distribution via exploit kits, they have simplified their technology needs.”
The latest configuration continues the malware authors’ strategy of using a public key for all “offline victims” of the same ransomware sample together with a special ID number instead of generating a public key per user.
Reference sample: https://www.virustotal.com/en/file/608448984cf46274241009f7697b34b4e8a4cea8e9b712c1e4ea65a08d6e706a/analysis/