Locky Ransomware Using DDE Attack for Distribution

What is Locky Ransomware?

Locky Ransomware so far has proven to be one of the strongest and most active malware. The developers have designed it in a way that it can easily bypass the antivirus firewall of a computer encrypting all the user's data leaving the user with a ransom note and instructions on how to make the payment.

Also read: Cryptolocker – Fix & Decrypt

Latest news on Locky Ransomware

Microsoft may soon have to re-think about its ideas on utilizing the Office feature called DDE to execute code on compromised PCs doesn't justify a fix.

SANS Internet Strom Center revealed a shocking fact about Necurs botnet that earlier the distribution technique used by the developers was spam emails. Whereas, now continuing the previous methods they have also started distributing the ransomware by a new attack technique that involves the DDE protocol. Handler Brad Duncan in his statement said that he had access to a few dozen emails that were the part of the campaign running to spread the ransomware. The emails contain one of three distinct Word document attachments spreading the malware and deciding on the DDE strategy instead of macros, which for over a year have been the favored methods for downloading malware from a remote server.

"We think the hackers are utilizing DDE on the grounds that it's extraordinary. We've been seeing similar full-scale based attacks in the recent years, so maybe culprits are taking a stab at something else just to check whether it works any better. As we would like to express that DDE is presumably somewhat less successful than utilizing macros," Duncan said. "We may see more DDE-based attacks in the coming weeks. however, we foresee that it will decrease in the coming months."

Like macros, Dynamic Data Exchange or DDE is a genuine Office feature. It enables a client to pull information from one archive and infuse it into other, for example, when a business report is opened in Word, and an inserted field can effectively update it with information from an Excel spreadsheet.

Last Friday, the research team at SensePost uncovered that various document-based attacks have been introducing malware utilizing DDE. They unveiled their discoveries to Microsoft in August and Microsoft said in late September that DDE was just a feature and that no further action would be taken.

SensePost said that a proof-of-idea misuse for this circumstance smothers dialect in an exchange box that could avoid a client from beginning an executable.

"The second prompt would ask the user if they want to execute the particular application or not, now this can be considered as a security alert since it requests that the user to execute 'cmd.exe,' however with appropriate syntax adjustments it can be covered," SensePost said.

Attacks using DDE evade the computers without being recognized by the traditional antivirus programs given that it falls into the whitelisting feature.

 "Clearly, DDE and macros are both genuine features of Microsoft Office. Both have been utilized as a part of malware attack. In the two cases, Office documents from malicious spam give alerts to tell a casualty what's happening. To settle the issue, you'd need to expel the DDE," Duncan said. "If DDE is a feature, then yes, we concur with Microsoft's announcement that it won't be fixed. Be that as it may, many articles about DDE express it's been superseded by OLE functionality. Assuming this is the case, for what reason doesn't Microsoft dispose of DDE altogether? Are there any authentic DDE cases that require Microsoft to hold this backward compatibility?"

Microsoft has without a doubt replaced DDE with the Object Linking and Embedding toolkit. However, it has not suspended help for DDE because Office still provides support to the legacy documents that utilize the feature.

Duncan's investigation of the Locky attacks demonstrates that the Word attachment employing the DDE attack gets the primary phase of the attack, likely a downloader which at that point downloads the ransomware. Duncan depicted the activity stream in a SANS ISC post:

"Traffic was somewhat unusual than we have seen in the recent attachments from the Necurs Botnet. The main HTTP asks for a returned base64 string that contains the further URLs for the first stage malware download. The second HTTP demands the return of the first stage malware. To follow-up, HTTP POST requests for the first stage malware with the User-Agent string Windows-Update-Agent. Then comes the HTTP POST request that returns the Locky ransomware binary. The Locky binary was encoded as it evaded the system, and it was decrypted later on the local network. No returning traffic from the Locky binary was noted. We just observed some more HTTP POST requests from the first stage malware."

The Locky ransomware encrypts documents on the local hard drive and demands a ransom of 0.25 Bitcoin in return for the decryption key. SANS posted various symptoms demonstrating the computer infection, including hashes of the attachments and malware, and also the IP address responsible for the attack.

Also read: How to get rid of Runbooster adware.

Steps to disable DDE in Microsoft Office

“The best technique you could follow to disable DDE.  It works for all the Microsoft Office applications.

Steps:

1. Go to the Options menu.
2. Now, scroll down to Advanced Options –> General.
3. Now, you need to make sure “Update automatic links at open” box is un-checked.

Duncan said that this prevents the DDE attacks from happening.  But, that’s not it in some online forums, people have come up with a different problem which indicates that this change isn’t permanent, and ‘Update automatic links at open’ may get re-checked again on its own.”

Remove Locky Ransomware in Safe Mode with Command Prompt

Step - 1(enter safemode)

Steps to be followed to enter the safe mode Win XP/Vista/7

1. Click start, then shutdown, then restart.
2. While the computer is booting up at the very first screen start taping F8 until you see the advanced boot options.
3. In the advanced boot option’s, you need to select safe mode with Command prompt from the list of given options.

Steps to be followed to enter safe mode in Win 8/10.

1. On the windows login screen you need to press the power option.
2. Now, press and hold the shift key on the keyboard, and then click restart.
3. Now, among the list of options you need to select Troubleshoot, and then advanced options, then startup settings and finally press restart.
4. Once your computer restarts and gives you the list of startup options you need to select Enable Safe Mode with Command prompt. 

Step – 2 (Restore system)

1. Once you see the command prompt windows, type in cd restore and hit enter on the keyboard.
2. Now, type rstrui.exe and hit Enter again.
3. Then you would see new windows, click on next over there and select a restore point that is before the date of infection.
4. Then, click next and followed by yes.

 After temporarily disabling the ransomware, we need to create a strong firewall to block it from becoming active again.

Tips to Prevent Locky ransomware from Infecting Your System: