Get started Bring yourself up to speed with our introductory content.

How does Locky ransomware use DGA in its attacks?

Locky ransomware has borrowed features from Dridex malware, which focused on attacking banks. Expert Nick Lewis explains Locky's techniques and how to detect it.

Security researchers say a new brand of ransomware called Locky has borrowed a technique from the Dridex banking...

malware. What is the Dridex malware technique and what elements of Locky make it different from other types of ransomware?

The Locky ransomware continues to improve its attack capabilities. Fortinet blogged about updates they identified in recent versions of the malware. Locky ransomware has incorporated a domain name generating algorithm to improve the resilience of the command-and-control (C&C) communications. Locky also incorporated an update to the C&C where the communications are minimally encrypted to prevent analysis over the network. Adding this functionality required significant efforts by the malware authors. Given how the malware is regularly updated with new functionality incorporating new attack techniques, this might suggest an experienced cybercriminal operation instead of low-skilled hackers.

The Locky ransomware appears to have borrowed the initial idea for the domain generation algorithm (DGA) from the Dridex malware. The DGA uses the infected machine's year, month, day as well as seed values. This makes it possible to predict the domains Locky will register, and to sinkhole those domains in advance. Researchers at Forcepoint Security Labs analyzed an updated sample of the Locky ransomware that has a significantly improved DGA without the previous shortcomings.

Even though the Locky ransomware has incorporated functionality for DGA into the malware, it still has a backup IP address used for C&C of the botnet. The C&C encrypted communication was broken by Fortinet and could be detected over the network. Fortinet also released indicators of compromise for the C&C systems and indicators that a local computer should be checked to identify whether the system is infected, if the files had not yet been encrypted.

Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Find out how Dridex redirection attacks work

Learn about the effectiveness of ransomware vaccines against Locky

Read about links between arrested Russian hackers and ransomware shutdowns

This was last published in July 2016

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What has your enterprise done to prevent ransomware from infiltrating its environment?
We expect everyone here to be an active part of the solution. A "think before you click" approach. It slows us down a bit but it's far better than the alternative so we live with it. Beyond that we've grown fanatic about off-site backups. So far we've either been right or very lucky. Either way, we're pleased with the outcome.
We try to keep reinforcing the training of employees. Don't open suspicious e-mails, Don't click links in e-mails from users you do not know... We hope for the best. A lot of users will use their PC at lunch to check personal e-mails or browse the net. That is our biggest fear. They may think because they are on their time the rules no longer apply.
Honestly people, it's the same PC and network we are trying to protect. Do you really want to lose your job if you are the cause of an attack?
Hackers seem to be getting more ingenious everyday. Using DGA is just another method that they are exploiting.