The Locky ransomware has added a fallback mechanism in the latest strain of malware created for situations where the code can’t reach its Command & Control server.
Researchers from antivirus vendor Avira blogged about this version which starts encrypting files even when it cannot request a unique encryption key from the Command & Control server because the computer is offline or a firewall blocks outgoing communications.
Calling the mothership is normally required for ransomware that uses public key cryptography. And actually, if the code is unable to call home to a Command & Control server after they infect a new machine, most ransomware does not start the encryption process and is dead in the water.
Why? The encryption routine needs unique public-private key pairs that are generated by the Command & Control server for each infection. How does this work? Here is a simplified sequence of events.
- The ransomware program generates a local encryption key and uses an algorithm like AES (Advanced Encryption Standard) to encrypt files with certain extensions.
- It reaches out to a Command & Control server and asks that machine to generate an RSA key pair for the newly infected system.
- The public key of that pair is sent back to the infected machine and used to encrypt the AES encryption key from step 1. The private key, (needed to decrypt what the public key encrypted), stays on the Command & Control server and is the key that you get when you pay the ransom and is used for decryption.
As you see, a lot of ransomware strains are useless if a firewall detects their attempt to call home and blocks it as suspicious. There is another scenario however…
As damage control, organizations also cut off a computer from the network the moment a ransomware infection is detected. They might even take the whole network offline until they can investigate if other systems have also been infected.
The silver lining? If someone pays the ransom and gets the private key, that key will work for all other offline victims as well, so expect a free decryptor to become available in the near future.