The Cisco Talos Security team has created a specialist tool LockyDump which extracts the configuration parameters of Locky infections.
LockyDump Aids Locky Victims
The Locky ransomware continues to cause major attacks against various targets. This is one of the reasons why the Cisco Talos security team has created a specialist tool called LockyDump which extracts the configuration variables of the infection samples. It works with other ransomware variants of Locky such as Zepto and Odin.
Using the tool the security team and system administrators can gain important information about the malware. This includes data about the trends, primary method of distribution and origin.
The utility can extract information about the following parameters of the Locky ransomware:
- affiID – This is the Affiliate ID that is specified in the Locky ransomware binary. So far the observed values are 1,3,4,5,8,D,E,F,13 and 15
- dga_seed – This is the seed value used by the Domain Generation Algorithm (DGA) used for the C&C server communications
- persist_svhost – A toggle value ( “0” for off and “1” for on) that saves and runs Locky in the following location %temp%/svchost.exe
- persist_registry – Toggle flag for setting up persistence via a registry key entry
- ignore_russian – Toggle value that terminates execution on systems that use the Russian language pack when set
- callback_path – This value contains the path that Locky sends the HTTP POST requests to the C&C servers
- C2_servers – This value contains hardcoded IP addresses of the C&C servers used by the ransomware to obtain DGA information
- rsa_key_id – Contains the RSA Key ID used during encryption
- rsa_bits – Contains the size of the RSA key used during encryption
- rsa_exponent – Contains the prime number used by the RSA cipher during encryption
- onion_addr – Contains the ransom payment gateway address on the Tor network
The LockyDump utility can analyse both DLL and EXE files. For more information check out Cisco Talos’s detailed blog post.