Locky is a strain of ransomware that was rather prevalent in New Zealand from early 2016. The CROW lab create an isolated environment, with Progger installed, and executed Locky on it to get a data set of Progger logs that show the process Locky takes to encrypt user files. Using the logs collected, CROW then create a visualisation called Locky Analysis (part of the Visual Progger series) which shows a visual walkthrough of Locky in action.
OverviewThe visualisation works by replaying the original data set of Progger logs gathered when Progger recorded Locky in an isolated environment. The visualisation draws three tiers. Starting from the bottom is a single element: the Locky process itself, called rundll32.exe. The middle tier is the libraries that Locky interacts with. The third and top tier is the directories that Locky scans. These elements are drawn at the speed the information is received at. It helps to show how Locky behaves as it traverses the directories. Once the traversal is completed Locky will then encrypts the files, this is shown by turning the directory elements in the visualisation red.
Files that are being executed as Locky Analysis performs the analysis are checked for certain behavioral traits that make it similar to Locky. These traits include the traversal of user directory, creating instruction files (for decrypting), and opening particular encryption libraries. When any one of these actions happens some points are assigned to the process. When any given process reaches a set threshold the process is deemed likely enough to be Locky.
Beginning from the top left is the timestamp and user. In this case Clair was the user that ran Locky. Middle left is the suspected files list. It contains all executing files that have a non-0 suspicion level in order from highest to lowest. If a file becomes red it has crossed a suspicion threshold and is deemed to be ransomware. Bottom left is the activity of the process that is suspected as ransomware and a list of all the actions it has taken. Bottom center is a list of all folders that contain newly encrypted files. Bottom right is the files that are now encrypted.