Avast Threat Labs has discovered a new Hungarian ransomware sample that is imitating Locky.
At Avast Threat Labs, we are constantly monitoring the threat landscape and evaluating current risks. Most of the time, we face prevalent strains of malware, such as Locky or Cerber ransomware, but from time to time we are alerted by our automated systems about anomalies within active in-the-wild samples. These alerts are either new techniques used by known malware or a discovery of a new strain.
This is a short story about our discovery of “Hucky” ransomware.
A few days ago, our systems notified us about a new ransomware sample that we are detecting and blocking. Based on a behavioral report from our sandbox, this sample attempts to encrypt user files and append a '.locky' extension to their names. Locky ransomware immediately came to our mind, but we quickly realized it is not Locky, because Locky is no longer using the .locky extension name. Furthermore, most of the common Locky-specific indicators of compromise (IOCs) are not present in this sample. Therefore, it caught our attention and we started digging deeper and analyzing this particular ransomware sample.
We tried executing this sample in a virtual machine and let it run in a safe environment. At the end of the execution, the machine looked as follows.
Displayed text with ransom payment instructions:
Our decoy files were encrypted and renamed:
If you have seen a machine infected by Locky, it probably looked very similar: new wallpaper with ransom instructions (rendered with the same font and colors as the one above), the same text displayed once again in Notepad, and, most importantly, the files were encrypted and renamed to file name + “.locky”.
But just because this new sample looks like Locky, and calls its files Locky doesn’t mean it’s Locky!
We've been previously written about ransomware strains that mimic more "successful" strains to increase their chances of getting ransom payments and this is yet another one.
Based on the following leads, we have named this one Hucky, which is an abbreviation for Hungarian Locky. When we put both these strains side by side, we can see several differences:
Above is an example of encrypted files – Hucky (top) and Locky (second image).
Above: Ransom instructions – Hucky instructions (top) and Locky instructions (second image).
Above: Wallpapers with ransom instructions – Hucky wallpaper (top) and Locky wallpaper (second image).
As we found out during our analysis, Hucky has a significant Hungarian footprint.
All of Hucky's interactions with victims are done in Hungarian. Furthermore, Hucky's executables are spread with Hungary-related names, such as semmi.exe (Hungarian word for nothing) or turul.exe (name of a Hungarian national symbol).
Moreover,Hungarian is also used in Hucky's code, such as namespaces, names of methods and variables, etc.
An example can be seen in the following image. The highlighted text is a mixture of Hungarian and L33t speak. It can be loosely translated as authors confession: “I hate to do this, but I like the money”.
Another lead of Hucky's origin are the so-called PDB debug strings that are automatically inserted in executable files by compilers. These strings can reveal the username of author as well as project name:
The earlier version (compiled on 2016-10-04):
The later version (compiled on 2016-10-06):
In our case, the authors username was originally 'Dani' (probably Dániel). A few days after releasing the initial version, the author started hiding the username via a generic 'user' account. Another interesting piece of information is revealed by the project name, “titkoss”. This might come from the Hungarian word “titkos”, which can be translated as “secret”. This means the author is not only using Hungarian as a communication language with its victims, but he or she is using it for internal naming.
Furthermore, the Hungarian texts don’t seem to be machine translated (although they contain some spelling errors).
We can conclude that Hucky is a new ransomware strain currently targeting Hungarian users only. Based on the aforementioned leads, there is a fair chance that its author is a native Hungarian speaker. The Hungarian orientation is probably also the reason why Hucky’s prevalence is low at the moment. Finally, we should mention Hucky's undisguised effort to look like Locky.
We'll be monitoring this threat and inform you about its changes or increased prevalence. In the meantime, stay safe:
Social engineering used to trick Facebook users into downloading Advanced Persistent Threat disguised as Kik Messenger app.
The cryptominer botnet attacked over half a million Windows servers and computers so far...but that number is growing.