Locky Ransomware Now Downloaded as Encrypted DLLs

Additional analysis and information by Jaaziel Carlos.

The Locky ransomware family has emerged as one of the most prominent ransomware families to date, being sold in the Brazilian underground and spreading via various exploits. Locky has, over time, become known for using a wide variety of tactics to spread–including macros, VBScript, WSF files, and now, DLLs.

Recently we encountered a new Locky variant (detected as RANSOM_LOCKY.F116HM) that used old tactics on the surface, but with some key technical changes. The emails that were used to distribute it were fairly pedestrian as far as these messages go, although it was part of a large-scale spam campaign.

Figure 1. Locky ransomware spam

The .js files contained inside the .ZIP attachments are heavily obfuscated–again, as is the norm:

Figure 2. Locky JavaScript code

After de-obfuscation, we can see that the code does several things:

  1. There is a hardcoded list of malicious URLs which all host the encrypted Locky ransomware. The JavaScript will randomly select one URL to download from, if this fails it will try another one.
  2. Save the downloaded file content to %temp%
  3. Using XOR with a pseudo-random number generator (PRNG) to decrypt the downloaded file and save the decrypted results as xxxx.dll
  4. Using rundll32.exe to run the malicious DLL, which will result in the ransom note being displayed and the user’s files being encrypted.

In effect, the attacker created his own stream cipher as his source of a pseudorandom key stream. All PRNGs rely on an initial value (known as the seed) to set the generator’s initial state. In a normal cryptographic implementation, so long as this value is non-constant and the PRNG is well designed, the stream cipher will be sufficiently “random”.

However, if the same seed is used, the same key stream will be generated. The seed serves as a form of encryption key, the values of which are hardcoded in the JavaScript code in this implementation.

Figure 3. XOR and PRNG decryption code

Creating a PRNG is a sufficiently difficult task, which is why the attacker chose to “borrow” one instead. He took the reference implementation of the Ultra-High Entry PRNG (UHE PRNG), made some small modifications to the code, and used it in his .js file. The code used appears to be an almost direct copy of parts of the Windows scripting implementation of the UHE PRNG code.

Figure 4. UHE PRNG function

Figure 5. Rundll32.exe running the Locky DLL, with parameters

The behavior of the actual ransomware is essentially unchanged from previous Locky variants.

Figure 6. Locky ransom note

Using a DLL file in this way represents an attempt to try and evade behavior monitoring features that are now part of modern endpoint security products. Running as a DLL prevents a new process from being started, making it harder to detect. Other ransomware families (like CrypMIC/CryptXXX) have used this tactic as well, although for Locky this is new.

The use of encryption is also meant to strengthen this malware’s ability to hide itself. Without receiving the right parameters from the downloader, no actual malicious file is actually decrypted (and theoretically, detected).

Trend Micro is already able to protect users against this threat. The existing Sandbox with Script Analyzer engine, which is part of Trend Micro™ Deep Discovery™ Email Inspector, can be used to detect this threat by its behavior without any engine or pattern updates.

Trend Micro offers solutions that protect users and organizations in all aspects –at the gateway, endpoints, networks, and even servers.


  • Endpoint Protection

    Trend Micro Smart Protection Suites detects and stops suspicious behavior and exploits associated with ransomware at the endpoint level.

    Ransomware Behavior Monitoring
    Application Control
    Vulnerability Shielding
    Web Security
  • Network Protection

    Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.

    Network Traffic Scanning
    Malware Sandbox
    Lateral Movement Prevention
  • Server Protection

    Trend Micro Deep Security™ detects and stops suspicious network activity and shields servers and applications from exploits.

    Webserver Protection
    Vulnerability Shielding
    Lateral Movement Prevention


  • Protection for Home Users

    Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

    IP/Web Reputation
    Ransomware Protection

The SHA256 hashes of files related to this threat are:

  • ff3e29a31f05016dedcd61a7aac588757c8364f04fa85b7a86196c9805cd811c
  • f7d0ccb86876cd4852fa376d69e6a0073a2c5cefaa3bfc012a9b8fe371d8cdb6

The malicious URLs related to this attack are:

  • hxxp://bck.srtec.net/73bh7
  • hxxp://clickme22.wang/25r15h6p
  • hxxp://delaemvkusnoe.ru/bhszq
  • hxxp://direttaauto.com/tyknnq
  • hxxp://escapegasmech.com/2zpr9p
  • hxxp://harrypotternotawizard.ws/3jjhbrba
  • hxxp://hdjung.homepage.t-online.de/tzpwhw9s
  • hxxp://it4cio.servicos.ws/pvgbi
  • hxxp://lkfashions.com/aeeyqj8
  • hxxp://muscleinjuries.com/ehqo79
  • hxxp://policyforlife.com/efb45
  • hxxp://popcom.be/~mbs/o95r3
  • hxxp://vittuperkele.com/a1wi4m3
  • hxxp://vittuperkele.top/a6dg9qy
  • hxxp://www.compland.ee/x5ewa6u
  • hxxp://www.fulvio77.it/sx6wn
  • hxxp://www.sjones.talktalk.net/zz5sjc3
  • hxxp://www.stucchifedele.com/o0eswfu

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Locky Ransomware Now Downloaded as Encrypted DLLs

Read more: Locky Ransomware Now Downloaded as Encrypted DLLs

Story added 29. August 2016, content source with full text you can find at link above.