Surge in .Onion addresses suggests a similar growth in Locky infections
Surge in .Onion addresses suggests a similar growth in Locky infections

Professor Alan Woodward of the University of Surrey, has highlighted what he believes to be a surge in the Locky trojan.

Woodward, a renowned academic and IT expert, published a series of findings on his blog over the last few days, showing a massive spike in the number of .Onion addresses indicating a surge in the Locky trojan.

The number of .Onion addresses started to grow sharply in the middle of February before spiking even further at the end of the month.

tor260216a (1).png

Analysing hidden service traffic on ToR, Woodward found that this type of traffic doesn't match up with the amount of addresses being created.

Whatever is creating these .Onion addresses doesn't use much data, suggesting that they are being used by the malware. According to Woodward's post, this is another possible sign that it is “Locky assigning unique addresses for victims such that once used no further traffic is generated.”

Locky is not a wildly unusual piece of ransomware. Like all the others, once it downloads  onto an unlucky system, it encrypts the computer's hard disk and charges the user to decrypt it.

Also not too original is the fact that Locky has tended to come in the form of a word document macro, a classic tactic used in countless phishing scams and malware campaigns. If the targeted user actually opens the document, it will request that Macros be turned on to properly run the document. The malware, in this case Locky, is embedded within the Macro and is thus deployed when the Macros turn on.

It is thought  that what distinguishes Locky, is that it creates individual .Onion and bitcoin addresses when deployed. This leads Woodward, and others to believe this large spike in .Onion addresses to be a large spike in Locky infections. Woodward told that, “we don't know for definite but it looks like every time there's an instance of Locky it creates its own bitcoin address and its own .Onion address”, using “the darkweb as the first point of call for addresses.”

This, according to Woodward, is a method of obfuscation: “The classic police method is follow the money”, if you have a large number of .Onion or bitcoin addresses it makes the route of blackmail that Locky takes far harder to trace.

Dick O'Brien, senior information developer at Symantec spoke to SC on this correlation, saying Locky, “is an aggressive form of ransomware that uses strong encryption, putting the victim's files beyond reach. The attackers behind Locky have been observed using massive spam campaigns to spread it.”

O'Brien added, “Locky instructs victims to visit a Tor website to pay the ransom. While the sudden rise in the number of Tor services does coincide with the arrival of Locky, Symantec does not have any information to confirm a link between the two.”