Detection of the Locky Ransomware with Hillstone iNGFW

The Characteristics of the Locky Ransomware

Locky is a ransomware that is usually contained within a Microsoft Word document sent by email as an attachment – often as an invoice – to large numbers of recipients using a massive spam campaign. Locky has spread rapidly since its first appearance and has infected thousands of computers hourly, according to research.

Once the attachment is opened, the ransomware is installed and enabled on the victim’s computer. It tries to download Portable Executable (PE) files from a remote control server and executes it from there. It then encrypts every file in the local drive, as well as the network, using RSA-2048 and AES-1024 algorithms.

It subsequently displays messages on the victim’s machine and tells the victim to visit an attacker’s website for further instructions and ransom payment in order to decrypt the previously encrypted files. The ransom demand varies and can be paid using bitcoin.

More recently, Locky ransomware has been spreading rapidly and has caused great damage and disruption to businesses around the world. In one of the more recent Locky ransomware incidents, the Hollywood Presbyterian Medical Center chose to pay the attacker 40 bitcoin (about $17,000) in ransom in order to be able to decrypt the “locked” files and restore the system and administrative functions.

Detecting Locky Ransomware With Hillstone iNGFW

Since Locky ransomware attack process is a multiple, staged process, it has distinct behavioral patterns along this attack path. For example, it has spam email phishing attachment files; it needs to communicate the Command & Control (C&C) server after the initial installation; it will have file-downloading activities, etc.

Locky Ransomware can be effectively detected and blocked using the Hillstone Networks intelligent Next-Generation Firewall (iNGFW) solution. The iNGFW combines both static signature-based NGFW detection engines such as IPS/AV, as well as behavioral-based modeling engines that use machine learning algorithms on a single platform. Leveraging these detection engines, it can effectively detect and block Locky ransomware and its variants at different stages on its attack path.

The detection and protection mechanisms on Hillstone Networks iNGFW entail the following:

  • iNGFW Anti-Virus engines include latest signatures that can be used to pattern-match the Locky email spams, which contain malicious attachments or download files.
  • iNGFW reputation engine consists of an IP and domain name reputation database that includes the list of known, relevant malicious IP and domain names.
  • iNGFW Domain Generation Algorithms (DGA) detection engine can be used to detect DGA domain names that are used as the C&C server.
    • Locky uses domain names generated by DGA algorithms as the C&C server. The Hillstone DGA detection engine can be used to detect a DGA domain name.

    The following screenshot illustrates one example.

  • iNGFW threat intelligence correlation module can correlate different threat events and alerts, as well as draw more accurate conclusions out of individual threat alerts.
    • For example, when the infected host tries to connect to its C&C server, it may result in a number of domains before the domain name can be resolved. Hillstone can correlate a series of DNS actions and results similar to the DGA detection on a specific host machine to accurately determine possible Locky related activities.
    • Another example is to correlate threat information such as “Small Sized” PE files download, detected DGA and the private encryption channel activities on a particular host machine to draw a clear picture of how the suspected Locky attack is progressing.
  • iNGFW cloud intelligent system can perform further threat analysis on suspicious threat events or objects.
    • For example, a suspicious domain name can be uploaded to the Hillstone cloud to perform further checks against reputation sites. The “whois” information such as domain name registration time, place, and Time To Live (TTL) can be used for further analysis to determine the possible nature of the domain name.

Hillstone Networks iNGFW has powerful weapons that can be combined to effectively detect the Locky ransomware and its variants, and ensure that businesses do not fall victim to the Locky ransomeware’s malicious intent.