This did not come as a surprise, as cyber-criminals are known to share, rent, sell, and even steal malicious code from one another.<\/p>\n
Analysis of Locky Bart\u2019s binary<\/strong><\/h3>\nIn their previous incarnations, Locky and Locky v2 used a simpler encryption process. They enumerated the files targeted for encryption, placed each in a password protected ZIP archive, and repeated this process until all the files were encrypted. The creators did not use the AES ZIP protection, but an older algorithm, and because of this, researchers were able to\u00a0make a decrypting application.<\/p>\n
Locky Bart performs a fairly straight forward set of actions to encrypt the victim\u2019s files. They are as follows:<\/p>\n
\n- Wipe System Restore Points with VSSadmin.<\/li>\n
- Generate a seed to create a key to encrypt user\u2019s files.<\/li>\n
- Enumerate the files it wants to encrypt, skipping certain folders to speed it up.<\/li>\n
- Encrypt the enumerated files with the generated key.<\/li>\n
- Encrypt the key used to encrypt the files with a master Kkey, which now becomes the victim\u2019s \u201cUID\u201d used to identify them.<\/li>\n
- Create a ransom note on the desktop with a link to a payment page and their \u201cUID\u201d.<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/function1.png\")
<\/p>\n
The function used to generate a seed, which is used to create a key to encrypt the files with. It uses variables like system time, process ID, thread ID, Process Alive Time, and CPU ticks to generate a random number.<\/em><\/p>\n![\"\"](\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/function2.png\")
<\/p>\n
The function used to enumerate and encrypt the files.<\/em><\/p>\n![\"\"](\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/function3.png\")
<\/p>\n
Bart will skip any folders with these strings in them.<\/em><\/p>\n![\"\"](\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/function4.png\")
<\/p>\n
The file-types that Bart targets to encrypt.<\/em><\/p>\n![\"\"](\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/paymentserver.png\")
<\/p>\n
The string that Bart uses to make a Ransom Note. The \u201ckhh5cmzh5q7yp7th.onion\u201d is the payment server, and <\/em>the \u201cAnOh\/Cz9MMLiZMS9k\/8huVvEbF6cg1TklaAQBLADaGiV\u201d is a sample UID that would be sent with the URL to the server for the victim to make a payment. Remember that the UID is only an encrypted version of the key that can be used to decrypt a victim\u2019s files.<\/em><\/p>\nHow the creators of Bart Locky acquire the key is what differentiates this version from its predecessors. When the victim of the ransomware visits the URL to make their payment for the ransom, they are unknowingly sending their decryption key to the criminals.<\/p>\n
Let\u2019s break down the process in a more granular method, to better understand it.<\/p>\n
\n- Bart Locky gathers information on the victim\u2019s machine to create an encryption key.<\/li>\n<\/ul>\n
\n- Bart Locky encrypts the user\u2019s files using the seeded key created in the previous step.<\/li>\n<\/ul>\n
\n- Bart Locky then encrypts the key that was used for the original encryption with a one way encryption mechanism, using the public key of a public \/ private key pair method. The private key for this second encryption resides on the malicious server and is never accessible to the victim.<\/li>\n<\/ul>\n
\n- Bart Locky then generates a URL on the victim\u2019s machine. It contains the link to a TOR cloaked .onion address where the malicious backend website is hosted. This URL has a user ID within it. This UID is the original decryption key, in encrypted form.<\/li>\n<\/ul>\n
\n- The victims visits the .onion site and the malicious server harvests the encrypted UID.<\/li>\n<\/ul>\n
This UID is useless to the victim though, because they do not have the private key to decrypt their files. However, the ransomware creator\u2019s server does, meaning his server can not only use the UID to identify the victim, but also decipher the UID into their victim\u2019s key upon payment of the ransom.<\/p>\n
In the end, only the ransomware creators can decrypt the user\u2019s files, and because of this feature, there is no need to access the malicious server to encrypt them.<\/p>\n
Locky Bart Software Protection\u00a0technique<\/strong><\/h3>\nThe Bart Locky binary also uses a software protection\u00a0technique. This technique is known as code virtualization and is added to Bart Locky binary by using a program called \u201cWPProtect<\/a>\u201d.<\/p>\nThis makes reversing the binary significantly more difficult to disassemble and complicates stepping through the code, a technique used to understand what it does. Legitimate uses of this type of software are most typically seen in anti-piracy mechanisms. An example of a commercial version of this type of software would be Themida<\/a>. The author of Bart Locky probably chose this particular anti-tampering mechanism as it is free, open source, and provides many features. This adoption of software protection techniques is a troubling development. These applications, including WPProtect, make reversing and analysis significantly more challenging.<\/p>\nThe Locky Bart server<\/strong><\/h3>\nThe second half of Locky Bart is the server and backend. This server is used to provide the victims with a payment mechanism to pay the ransom.<\/p>\n
\n- Receive the bitcoins used as a payment method.<\/li>\n
- Transfer the bitcoins to other wallets.<\/li>\n
- Generate a decryption EXE for the victims.<\/li>\n
- Provide the victims with the decryption EXE to the victims.<\/li>\n
- Accrue additional information on the victims.<\/li>\n<\/ul>\n
The Bart Locky backend runs on a framework called yii<\/a>.\u00a0Yii is a high-performance PHP framework best for developing Web 2.0 applications.<\/p>\nThis framework contains a wealth of information on the inner workings of Bart Locky.<\/p>\n
![\"\"](\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/yii_debug-600x401.png\")
<\/p>\n
TheYii debug panel that contained\u00a0extensive information about the configuration server.\u00a0<\/em><\/p>\nAccess to this control panel revealed:<\/p>\n
\n- Every configuration setting for all the software running on the server such as PHP, Bootstrap, Javascript, Apache (if used), Nginx (If used), ZIP, and more.<\/li>\n
- Every request that was made to the server including their request information, header information, body, timestamp, and where they originated.<\/li>\n
- Logs that showed every error, trace, and debug item.<\/li>\n
- All the automated email functions.<\/li>\n
- MYSQL Monitoring that showed every statement made and its return.<\/li>\n<\/ul>\n
Locky Bart stores information in a MYSQL database. The credentials to the MYSQL server reside in a \u201cConfig\u201d PHP file in the \u201cCommon\u201d folder of the site. An example path looks like the following: \/srv\/common\/config\/main-local.php<\/em><\/p>\n![\"\"](\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/MYSQLconfig.png\")
<\/p>\n
The contents of Bart\u2019s server MYSQL config file<\/em><\/p>\nThe information contained in the MYSQL database consists of the victims Unique IDentifier, the encryption key, BitCoin Address, Paid Status, and Timestamps.<\/p>\n
![\"\"](\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/database.png\")
<\/p>\n
A small part of the table holding the ransomware information in the database.<\/em><\/p>\nThe Locky Bart server also contains a second database that contains further information on the victims of the ransomware.<\/p>\n
![\"\"](\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/database2.png\")
<\/p>\n
Locky Bart ransomware\u2019s \u201cStats\u201d table example.<\/em><\/p>\n![\"\"](\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/readme.png\")
<\/p>\n
A \u201cReadMe\u201d file found on the server that seems to detail some features on the Stats database.<\/em><\/p>\nThe Locky Bart server contains a \u201cBTCwrapper.php\u201d which used a \u201ccontroller\u201d method that exposes a BTC Wallet Class that all other PHP files can call. This class initiates a connection to the Bitcoin servers through a username and password. This class contained complete methods on controlling and using the main BTC wallet set up by the criminal to store all the money received. This wallet is emptied regularly. This class can create new BTC Addresses as well and had the ability to empty those wallets on payment to the main wallet. There were also methods to check on the status of payments from each victim.<\/p>\n
![\"\"](\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/function5.png\")
<\/p>\n
Some of the functions that the BTCWrapper Class calls.<\/em><\/p>\n![\"\"](\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/function6.png\")
<\/p>\n
The first few functions of the BTCWrapper Class. The class uses CURL to contact a locally ran bitcoin server that communicates with the block chain.<\/em><\/p>\nThe Locky Bart server had 2 Bitcoin addresses where victims\u2019 payments were transferred to. The current one:<\/p>\n
![\"\"](\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/blockchain7671-600x218.png\")
<\/p>\n
<\/p>\n
The current BTC address associated with Locky Bart has accumulated $ 7,671.60 in its life time.<\/em><\/p>\nAnd a second one, that was referenced in PHP configurations on the malicious server.<\/p>\n
![\"\"](\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/blockchain457806-600x216.png\")
<\/p>\n
An older BTC address also associated with Locky Bart had accumulated $ 457,806.06.<\/em><\/p>\nThe server portion of this ransomware was configured to function very similar to a legitimate business. It mirrored a \u201cSupport Ticket Department\u201d where the user could contact the ransomware support for any issues they may have experienced.<\/p>\n
The process was completely automated. The user would get infected and visit the site as their ransom note instructed. When they visited the site, the server would then generate their unique BTC address and present it to them automatically.<\/p>\n
After this, if the user made the decision to pay the ransom, but if they had any questions, they could literally contact support.<\/p>\n
If they did indeed make the decision to pay, they would proceed to buy Bitcoins through the many methods available (BTC ATM, LocalBitcoins \u2013 which allows you to meet people local to trade BTC for money or use banks and wiring like Western Union, or buy them with a credit card online).<\/p>\n
![\"\"](\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/explained.png\")
<\/p>\n
Once the user has the amount specified by the ransomware in their own BTC Wallet, they would then transfer the money from their wallet to the Payment Address the Ransomware Payment Page generated for them.<\/p>\n
The Ransomware Server checks every few minutes if a payment has been made for any of its victims and if the payment had been confirmed. Once the server verifies a payment they mark that victim in the Database as \u201cPaid\u201d.<\/p>\n
When a victim is marked as \u201cPaid\u201d the server then generates a \u201cDecryption Tool EXE\u201d and writes the users Encryption Key in the binary of that exe, and presents a link to download it on the personal payment page of the victim. Later when the victim checks their payment page again, they will see the link, download the tool, and decrypt their files.<\/p>\n
![\"\"](\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/function7.png\")
<\/p>\n
The generation of the victim\u2019s decryption tool on the fly.<\/em><\/p>\nConclusion<\/strong><\/h3>\nThis research into Locky Bart ransomware gives a great view of the side of a ransomware operation that we typically do not get to see, the backend. The criminals who run these operations do so on an extremely professional level, and users should always take an extra step in protecting themselves from these types of attacks.<\/p>\n
Ransomware will continue to grow and get more advanced and users need to make sure they are protected in the form of backup\u2019s, security application protection like Malwarebytes<\/a>, and make sure they have some type of anti-ransomware technology protecting them from these advanced attacks. Users running Malwarebytes already have protection from ransomware, as Malwarebytes is equipped with our anti-ransomware technology.<\/p>\nhttps:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
<\/p>\n
The function used to generate a seed, which is used to create a key to encrypt the files with. It uses variables like system time, process ID, thread ID, Process Alive Time, and CPU ticks to generate a random number.<\/em><\/p>\n The function used to enumerate and encrypt the files.<\/em><\/p>\n Bart will skip any folders with these strings in them.<\/em><\/p>\n The file-types that Bart targets to encrypt.<\/em><\/p>\n The string that Bart uses to make a Ransom Note. The \u201ckhh5cmzh5q7yp7th.onion\u201d is the payment server, and <\/em>the \u201cAnOh\/Cz9MMLiZMS9k\/8huVvEbF6cg1TklaAQBLADaGiV\u201d is a sample UID that would be sent with the URL to the server for the victim to make a payment. Remember that the UID is only an encrypted version of the key that can be used to decrypt a victim\u2019s files.<\/em><\/p>\n How the creators of Bart Locky acquire the key is what differentiates this version from its predecessors. When the victim of the ransomware visits the URL to make their payment for the ransom, they are unknowingly sending their decryption key to the criminals.<\/p>\n Let\u2019s break down the process in a more granular method, to better understand it.<\/p>\n This UID is useless to the victim though, because they do not have the private key to decrypt their files. However, the ransomware creator\u2019s server does, meaning his server can not only use the UID to identify the victim, but also decipher the UID into their victim\u2019s key upon payment of the ransom.<\/p>\n In the end, only the ransomware creators can decrypt the user\u2019s files, and because of this feature, there is no need to access the malicious server to encrypt them.<\/p>\n The Bart Locky binary also uses a software protection\u00a0technique. This technique is known as code virtualization and is added to Bart Locky binary by using a program called \u201cWPProtect<\/a>\u201d.<\/p>\n This makes reversing the binary significantly more difficult to disassemble and complicates stepping through the code, a technique used to understand what it does. Legitimate uses of this type of software are most typically seen in anti-piracy mechanisms. An example of a commercial version of this type of software would be Themida<\/a>. The author of Bart Locky probably chose this particular anti-tampering mechanism as it is free, open source, and provides many features. This adoption of software protection techniques is a troubling development. These applications, including WPProtect, make reversing and analysis significantly more challenging.<\/p>\n The second half of Locky Bart is the server and backend. This server is used to provide the victims with a payment mechanism to pay the ransom.<\/p>\n The Bart Locky backend runs on a framework called yii<\/a>.\u00a0Yii is a high-performance PHP framework best for developing Web 2.0 applications.<\/p>\n This framework contains a wealth of information on the inner workings of Bart Locky.<\/p>\n TheYii debug panel that contained\u00a0extensive information about the configuration server.\u00a0<\/em><\/p>\n Access to this control panel revealed:<\/p>\n Locky Bart stores information in a MYSQL database. The credentials to the MYSQL server reside in a \u201cConfig\u201d PHP file in the \u201cCommon\u201d folder of the site. An example path looks like the following: \/srv\/common\/config\/main-local.php<\/em><\/p>\n The contents of Bart\u2019s server MYSQL config file<\/em><\/p>\n The information contained in the MYSQL database consists of the victims Unique IDentifier, the encryption key, BitCoin Address, Paid Status, and Timestamps.<\/p>\n A small part of the table holding the ransomware information in the database.<\/em><\/p>\n The Locky Bart server also contains a second database that contains further information on the victims of the ransomware.<\/p>\n Locky Bart ransomware\u2019s \u201cStats\u201d table example.<\/em><\/p>\n A \u201cReadMe\u201d file found on the server that seems to detail some features on the Stats database.<\/em><\/p>\n The Locky Bart server contains a \u201cBTCwrapper.php\u201d which used a \u201ccontroller\u201d method that exposes a BTC Wallet Class that all other PHP files can call. This class initiates a connection to the Bitcoin servers through a username and password. This class contained complete methods on controlling and using the main BTC wallet set up by the criminal to store all the money received. This wallet is emptied regularly. This class can create new BTC Addresses as well and had the ability to empty those wallets on payment to the main wallet. There were also methods to check on the status of payments from each victim.<\/p>\n Some of the functions that the BTCWrapper Class calls.<\/em><\/p>\n The first few functions of the BTCWrapper Class. The class uses CURL to contact a locally ran bitcoin server that communicates with the block chain.<\/em><\/p>\n The Locky Bart server had 2 Bitcoin addresses where victims\u2019 payments were transferred to. The current one:<\/p>\n <\/p>\n The current BTC address associated with Locky Bart has accumulated $ 7,671.60 in its life time.<\/em><\/p>\n And a second one, that was referenced in PHP configurations on the malicious server.<\/p>\n An older BTC address also associated with Locky Bart had accumulated $ 457,806.06.<\/em><\/p>\n The server portion of this ransomware was configured to function very similar to a legitimate business. It mirrored a \u201cSupport Ticket Department\u201d where the user could contact the ransomware support for any issues they may have experienced.<\/p>\n The process was completely automated. The user would get infected and visit the site as their ransom note instructed. When they visited the site, the server would then generate their unique BTC address and present it to them automatically.<\/p>\n After this, if the user made the decision to pay the ransom, but if they had any questions, they could literally contact support.<\/p>\n If they did indeed make the decision to pay, they would proceed to buy Bitcoins through the many methods available (BTC ATM, LocalBitcoins \u2013 which allows you to meet people local to trade BTC for money or use banks and wiring like Western Union, or buy them with a credit card online).<\/p>\n Once the user has the amount specified by the ransomware in their own BTC Wallet, they would then transfer the money from their wallet to the Payment Address the Ransomware Payment Page generated for them.<\/p>\n The Ransomware Server checks every few minutes if a payment has been made for any of its victims and if the payment had been confirmed. Once the server verifies a payment they mark that victim in the Database as \u201cPaid\u201d.<\/p>\n When a victim is marked as \u201cPaid\u201d the server then generates a \u201cDecryption Tool EXE\u201d and writes the users Encryption Key in the binary of that exe, and presents a link to download it on the personal payment page of the victim. Later when the victim checks their payment page again, they will see the link, download the tool, and decrypt their files.<\/p>\n The generation of the victim\u2019s decryption tool on the fly.<\/em><\/p>\n This research into Locky Bart ransomware gives a great view of the side of a ransomware operation that we typically do not get to see, the backend. The criminals who run these operations do so on an extremely professional level, and users should always take an extra step in protecting themselves from these types of attacks.<\/p>\n Ransomware will continue to grow and get more advanced and users need to make sure they are protected in the form of backup\u2019s, security application protection like Malwarebytes<\/a>, and make sure they have some type of anti-ransomware technology protecting them from these advanced attacks. Users running Malwarebytes already have protection from ransomware, as Malwarebytes is equipped with our anti-ransomware technology.<\/p>\n https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<\/p>\n<\/p>\n<\/p>\n<\/p>\n\n
\n
\n
\n
\n
Locky Bart Software Protection\u00a0technique<\/strong><\/h3>\n
The Locky Bart server<\/strong><\/h3>\n
\n
<\/p>\n\n
<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\n<\/p>\nConclusion<\/strong><\/h3>\n
<\/a><\/td>\n<\/tr>\n