[December 8th 2017]

See also Necurs and Scarab

[November 13th 2017]

GBHackers: Beware!! Dangerous Locky Ransomware Now Spreading through Microsoft Office Word Documents

[October 23rd 2017]

Internet Storm Center: Necurs Botnet malspam pushes Locky using DDE attack

Richard Chirgwin for The Register: New phishing campaign uses 20-year-old Microsoft mess as bait – Necurs botnet spreads ransomware carried in Office documents

[October 20th 2017]

Trendlabs: A Look at Locky Ransomware’s Recent Spam Activities

[October 16th 2017]


[September 22nd 2017]

Lawrence Abrams for Beeping Computer: Locky Ransomware Switches to the Ykcol Extension for Encrypted Files

“Unfortunately, at this time it is still not possible to decrypt .ykcol files encrypted by the Locky Ransomware for free.”

May also be reported as Ykcol, but it really is Locky.

[September 1st 2017]

Zeljka Zorz for HelpNet: Locky ransomware returns with new tricks up its sleeve

David Bisson for Graham Cluley’s blog: Massive Locky ransomware campaign sends out 23 million emails in 24 hours “One of the largest malware campaigns seen in the latter half of 2017.”

[August 30th 2017]

Malware Breakdown: “IMG_” Malspam Delivers Locky Ransomware. Appending The “.Lukitus” Extension.

[18th August 2017]

Sophos: It’s baaaack: Locky ransomware is on the rise again

Bill Brenner says: “Last week it sported a new extension: .diablo6. This week researchers are seeing more new variants, now with a .lukitus extension. SophosLabs researcher Dorka Palotay said the new variants perform the usual Locky behavior…”

[10th August 2017]

Locky Ransomware Returns with Spam Campaign Pushing Diablo6 Variant

[6th March 2017] Brad Duncan for Palo Alto: “Blank Slate” Campaign Takes Advantage of Hosting Providers to Spread Ransomware. Apparently primarily distributes Cerber, but also Sage 2.0 and Locky.

[27th January 2017] Talos: Without Necurs, Locky Struggles

25th November 2016: info from Checkpoint on new variants of Locky and Cerber. Two thanksgiving presents from the leading ransomware

[23rd November 2016]

SC Magazine: Facebook spam caught delivering Locky ransomware – also distributing Nemucod

[Added 10th November 2016]

Graham Cluley for Hot For Security (BitDefender): Locky ransomware disguises itself as account suspensions and suspicious movements. Basically, social engineering techniques used to persuade victims to open an attachment.

[Added 24th October 2016]

Microsoft Malware Protection Center: The new .LNK between spam and Locky infection

Talos: LockyDump – All Your Configs Are Belong To Us

[6th – 8th October 2016]

Sophos: Odin ransomware takes over from Zepto and Locky

Fortinet: The Locky Saga Continues: Now Uses .odin as File Extension

30th August 2016

Trend Micro: Locky Ransomware Now Downloaded as Encrypted DLLs

18th August 2016


Commentary from The Register: FireEye warns ‘massive’ ransomware campaign hits US, Japan hospitals – Locky ransomware running rampant, mounted on personalised phish

17th August 2016

Trend Micro: New Locky Ransomware Spotted in the Brazilian Underground Market, Uses Windows Script Files

8th August 2016

After helping his parents out with a scam website that had tried to trick them into thinking their system had been compromised by the Zeus banking Trojan, Ivan Kwiatkowski accessed the same site and called the ‘helpline number’. After ‘agreeing’ to buy a support package, he offered for payment a ‘fake but valid’ credit card number: that is, one that isn’t associated with a real account, but is correctly formatted according to the format allocated to a real provider. He persuaded the scammer that he might be reading the card details wrong, and offered to send a picture of the card. What he sent, though, was a zipped Javascript file which would download Locky and encrypt the scammer’s files.

I’m not generally in favour of fighting malice with malice, but quite a few researchers who’ve come across this story have been observed trying to conceal an expression of glee, especially as there is no free decrypter for Locky.

Kwiatkowski tells the full story here: How I got tech support scammers infected with Locky

July 15th 2016

Avira: Locky goes offline (by design)

July 13th 2016

F-Secure reports A New High for Locky. Commentary by Graham Cluley: Be Careful In Your Inbox. Massive Locky Ransomware Campaign Underway

July 7th 2016

Fortinet: Cracking Locky’s New Anti-Sandbox Technique

June 29th 2016

BitDefender asks New massive spam wave spreads Locky – is Necurs botnet back? The answer is yes, quite likely…

June 21st 2016


June 10th 2016

Tripwire: Necurs Botnet Goes Quiet, Leads to Drop in Locky and Dridex Activity

June 8th 2016

 for McAfee: Locky Ransomware Hides Under Multiple Obfuscated Layers of JavaScript

May 19th, 2016.

Comment by F-Secure on hacks disrupting Locky distribution networks: PSA Payload Via Hacked Locky Host [18th May 2016].

Analysis by Malwarebytes: Look Into Locky Ransomware

Analysis by ESET: Analysis of the Locky infection process [4-4-16]

David Bisson reports on Graham Cluley’s blog about the ransomware commonly named Locky because of its use of a ‘.locky’ extension to files it has encrypted. What does a .locky file extension mean? It means you’ve been hit by ransomware

The same story is covered by HelpNet Security: Dridex botnet alive and well, now also spreading ransomware

Both articles refer to analysis by Palo Alto:

Locky: New Ransomware Mimics Dridex-Style Distribution

Paul Ducklin’s article for Sophos tells us about “Locky” ransomware: What you need to know. And John Leyden’s article for The Register also refers: Locky ransomware is spreading like the clap – Feeling Locky, punk? Well, do ya?

A SANS Newsbites newsletter has a number of interesting links to commentary on the Locky ransomware.

By Sabrina Berkenkopf for GData: Encryption Trojan Locky: What you need to know about the ransomware

An article from March 8th 2016 by Tim Ring for SC Magazine – Locky ransomware ‘on the rampage’ globally – is focused on Locky but also collates commentary from sources such as Fortinet and McAfee about how it relates to other major families, notably CryptoWall and TeslaCrypt.

Sorin Mustaca remarks that he’s sick and tired of seeing so many people affected by the current wave of ransomware attacks. He’s not alone there… His article About ransomware, Google malvertising and Fraud is worth reading for the description of how Locky spam may try to convince you to enable macros “if the data encoding is incorrect.” If you need more information, though, Paul Ducklin’s article for Sophos is characteristically informative and insightful: “Locky” ransomware – what you need to know

For ESET, Josep Albors warns Trojan Downloaders on the rise: Don’t let Locky or TeslaCrypt ruin your day.

Checkpoint [5-April-2016] New Locky Ransomware Variant Implementing Changes in Communication Patterns

Palo Alto [8th April 2016] Ransomware: Locky, TeslaCrypt, Other Malware Families Use New Tool To Evade Detection – “…multiple malware samples stood out due to what seemed like obfuscated API calls coming from a dictionary of embedded terms to resolve system functions and hide their true capabilities from commonly used static analysis tools.”

[19th April 2016]

Proofpoint’s analysis of malware they call CryptXXX can be found here: CryptXXX: New Ransomware From the Actors Behind Reveton, Dropping Via Angler. Proofpoint observes that it has seen ‘an Angler EK into Bedep pass pushing both a ransomware payload and Dridex 222. Which may or may not be connected to the fact that Spamfighter has reported that Dridex is implicated in the distribution of ransomware. Spamfighter’s article – Security Researchers Discover Admin Panel of Dridex, Leverage Vulnerability and Hijack Backend – summarizes a report from Buguroo: Report: Analysis of Latest Dridex Campaign Reveals Worrisome Changes and Hints at New Threat Actor Involvement. The Buguroo page suggests that vulnerabilities in the Dridex infrastructure are responsible for its being used to distribute Locky. I haven’t read the full report – it requires registration.

SecurityWeek: Dridex Botnet Spreading Locky Ransomware Via JavaScript Attachments. Cites Trustware: Massive Volume of Ransomware Downloaders being Spammed

McAfee: Locky Ransomware Arrives via Email Attachment

Microsoft: Locky

Bleeping Computer: Locky

[25th April 2016] FireEye: NEW DOWNLOADER FOR LOCKY

[Back to  Ransomware Resource Page]

[Back to Specific Ransomware Families and Types]