The newest Locky uses the COM object functionality to delete shadow copies, what computer users see as the “previous versions” of files. If this method fails, the new Locky creates a scheduled task via another COM interface to do this via vssadmin.exe.
“COM objects are essentially black boxes that allow functionality from some programs or the operating system to be accessible by other applications. Under normal conditions, for example, they allow an application to start Microsoft’s Internet Explorer and navigate to a website without showing the address bar. Blocking malicious use of COM objects is more difficult than simply blocking execution of an application with specific parameters on the command line,” said Moritz Kroll, botnet specialist at Avira.
Deleting the shadow copies reduces the recover options for victims and subsequently increases the potential of a ransom payout to the cybercriminals.
Earlier versions of Locky called vssadmin.exe directly to delete the shadow copies. However, this feature has been increasingly flagged as antivirus programs added heuristic detections for this behavior and blocked execution of this application at the command line level.
By now “hiding” these activities via COM objects instead of using the more visible approach, Locky can achieve the same goal of removing all shadow copies, but without alerting the heuristic detection of some antivirus products.
“The big change is that when starting a scheduled task, it is now done indirectly – not directly. Consequently, the malware sample is not the parent process of vssadmin.exe, which is a common check in many antivirus program’s ransom protection,” explained Kroll.
Other changes in Locky ensure that the ransomware only activates once at the same time in a machine. This avoids overlapping encryptions and increases the chances for successful decryptions.
Locky did a disappearing act on May 31, leading to speculation that the ransomware had vanished as a result of the takedown of a Russian cybercriminal gang. However, it returned into action on June 21 with the last version first released on May 31. That version added a “v=2” parameter in the connection string, probably indicating a new version. Also a new communication protocol was introduced, whereby the encrypted connection string is disguised as HTML form data. Interestingly enough, the malware servers are currently communicating in both the old and the newer protocols. This dual communication could be used to detect security researchers.
Reference sample: SHA256