Locky ransomware is one of the latest, most devastating additions to the ransomware malware category. Locky uses the RSA algorithm mixed with AES-128 encryption ciphers, as stated in its ransom note. The combination creates a very strong encryption.
We have already analyzed RSA algorithms:
AES Encryption General Description
AES stands for Advanced Encryption Standard (AES). It is a symmetric encryption algorithm. The original name of the algorithm is Rijndael, based on the names of the two Belgian cryptographers who developed AES – Joan Daemen and Vincent Rijmen. Rijndael is a family of ciphers.
The AES itself is a specification for the encryption of electronic data established by the American National Institute of Standards and Technology (NIST) in 2001. The Institute selected three 128-bit ciphers of the Rijndael family for the AES standard. However, each of the three has different key lengths – 128, 192 and 256 (via Wikipedia).
AES is an encryption that is widely used in various business applications. However, crypto-malware has discovered a way to take advantage of it and use it against PC users.
Ransomware and AES Encryption
Many ransomware pieces have employed AES, in some cases combined with another type of encryption algorithm (such as RSA):
Locky Ransomware’s Encryption in Detail
In the case of Locky ransomware, a mixture of the RSA algorithm and AES-128 ciphers has been used, thus making the decryption process very challenging. Malware researchers are currently seeking ways to beat Locky’s encryption and help its victims retrieve their files.
Researchers at Palo Alto just revealed that Locky ransomware requires communication with a command & control server for a key exchange to take place, before the encryption process has started. The key exchange is performed in memory – a unique feature, as most ransomware pieces generate encryption key locally and randomly on the victim machine and then send it to the attackers’ infrastructure.
This unique feature also shows that Locky’s creators have employed a mitigation strategy by disrupting associated command & control servers.
In addition, Locky changes the filenames entirely. A file encrypted by Locky looks like that:
During the encryption process, the ransomware uses the AES algorithm and will only encrypt files matching these extensions:
→.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat
As we already said, for now decryption of files encrypted by Locky is not possible. Nonetheless…
Make sure to learn more about Locky’s methods and technical details.
Also, if you have been infected by Locky ransomware, make sure to remove it from your system via anti-malware software.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter