Recently, there has been a lot of buzz over a flourishing ransomware that goes by the name of Locky, which encrypts a victim's data using a strong RSA-2048+AES-128 encryption and then demands between 0.5-2 bitcoins for the decryption of that data.

The ransomware debuted in early 2016 and is currently being distributed in various ways, including spam emails that contain Word and Excel documents with malicious macros, as well as JS scripts. Locky is also delivered via popular Exploit Kits such as Nuclear and Neutrino.

Locky has widespread reach, having been used to attack victims in over 100 countries. During its first days of activity, it managed to deploy 100,000 infection attempts per day. Just recently, the ransomware was used in an attack on a Kentucky hospital, which caused them to declare an "Internal State of Emergency."

The ThreatSTOP Research Team has been monitoring new Indicators of Compromise for this ransomware since its debut, and has analyzed hundreds of relevant indicators. During our analysis on these indicators, we noticed four outstanding domains--legitimate-looking domains with the addition of the string "qq" or "ff" at the end of the domain name. These domains sparked a follow up analysis that led to amazing results.

The first step of the analysis was to map the IP connections between the 4 initial domains:

  • hellomydearqq[.]com
  • blablaworldqq[.]com
  • hellomisterbiznesqq[.]com
  • greetingsjamajcaff[.[com

Screen Shot 2016-04-03 at 4.48.24 PM

When looking at the IPs to which these domains resolved, we found that the domain greetingsjamajcaff[.]com resolved to the 3 unique IPs (104.168.62[.]235, 74.117.183[.]252, 158.69.167[.]234) and the 3 “qq” domains had been hosted on an almost-identical pool of 11 IPs (with only blablaworldqq[.]com resolving to 54.222.176[.]70 as well) since their activation at the beginning of March.:

  • 202.120.42[.]190
  • 51.255.10[.]133
  • 146.148.55[.]44
  • 185.118.142[.]154
  • 51.254.226[.]223
  • 78.135.108[.]94
  • 173.82.74[.]197
  • 104.239.213[.]7
  • 198.105.244[.]11
  • 198.105.254[.]11

All of the IPs mentioned above similarly host “qq” and “ff” domains. This gave us a lot of material to work with, and we dived into a mapping mission of Domain-to-IP and IP-to-Domain analysis.

Screen Shot 2016-04-03 at 4.24.49 PM.png

While looking into the IPs, we also noticed that for many of the domains, their www. subdomain resolved to the same IP as the parent domain, but not in all cases. This sent us on another hunt--searching for “www” subdomains that had not yet been seen. By doing so, we found another set of IPs, which were followed (of course) by domains.

This analysis has provided ThreatSTOP with over 130 new indicators that are related to Locky. These “qq” and “ff” domains are constantly popping up in various malware blogs in relation to Locky, and occasionally to Teslacrypt as well, another ransomware variant. We are continuing this analysis, and will continue protecting our customers from Locky ransomware.