[December 8th 2017]
See also Necurs and Scarab
[November 13th 2017]
GBHackers: Beware!! Dangerous Locky Ransomware Now Spreading through Microsoft Office Word Documents
[October 23rd 2017]
Internet Storm Center: Necurs Botnet malspam pushes Locky using DDE attack
Richard Chirgwin for The Register: New phishing campaign uses 20-year-old Microsoft mess as bait – Necurs botnet spreads ransomware carried in Office documents
[October 20th 2017]
Trendlabs: A Look at Locky Ransomware’s Recent Spam Activities
[October 16th 2017]
Kaspersky Threat Post: LOCKY GETS UPDATED TO ‘YKCOL’, PART OF RAPID-FIRE SPAM CAMPAIGNS
[September 22nd 2017]
Lawrence Abrams for Beeping Computer: Locky Ransomware Switches to the Ykcol Extension for Encrypted Files
“Unfortunately, at this time it is still not possible to decrypt .ykcol files encrypted by the Locky Ransomware for free.”
May also be reported as Ykcol, but it really is Locky.
[September 1st 2017]
Zeljka Zorz for HelpNet: Locky ransomware returns with new tricks up its sleeve
David Bisson for Graham Cluley’s blog: Massive Locky ransomware campaign sends out 23 million emails in 24 hours “One of the largest malware campaigns seen in the latter half of 2017.”
[August 30th 2017]
Malware Breakdown: “IMG_” Malspam Delivers Locky Ransomware. Appending The “.Lukitus” Extension.
[18th August 2017]
Sophos: It’s baaaack: Locky ransomware is on the rise again
Bill Brenner says: “Last week it sported a new extension: .diablo6. This week researchers are seeing more new variants, now with a .lukitus extension. SophosLabs researcher Dorka Palotay said the new variants perform the usual Locky behavior…”
[10th August 2017]
Locky Ransomware Returns with Spam Campaign Pushing Diablo6 Variant
[6th March 2017] Brad Duncan for Palo Alto: “Blank Slate” Campaign Takes Advantage of Hosting Providers to Spread Ransomware. Apparently primarily distributes Cerber, but also Sage 2.0 and Locky.
[27th January 2017] Talos: Without Necurs, Locky Struggles
25th November 2016: info from Checkpoint on new variants of Locky and Cerber. Two thanksgiving presents from the leading ransomware
[23rd November 2016]
SC Magazine: Facebook spam caught delivering Locky ransomware – also distributing Nemucod
[Added 10th November 2016]
Graham Cluley for Hot For Security (BitDefender): Locky ransomware disguises itself as account suspensions and suspicious movements. Basically, social engineering techniques used to persuade victims to open an attachment.
[Added 24th October 2016]
Microsoft Malware Protection Center: The new .LNK between spam and Locky infection
Talos: LockyDump – All Your Configs Are Belong To Us
[6th – 8th October 2016]
Sophos: Odin ransomware takes over from Zepto and Locky
Fortinet: The Locky Saga Continues: Now Uses .odin as File Extension
30th August 2016
Trend Micro: Locky Ransomware Now Downloaded as Encrypted DLLs
18th August 2016
FireEye: LOCKY RANSOMWARE DISTRIBUTED VIA DOCM ATTACHMENTS IN LATEST EMAIL CAMPAIGNS
Commentary from The Register: FireEye warns ‘massive’ ransomware campaign hits US, Japan hospitals – Locky ransomware running rampant, mounted on personalised phish
17th August 2016
Trend Micro: New Locky Ransomware Spotted in the Brazilian Underground Market, Uses Windows Script Files
8th August 2016
After helping his parents out with a scam website that had tried to trick them into thinking their system had been compromised by the Zeus banking Trojan, Ivan Kwiatkowski accessed the same site and called the ‘helpline number’. After ‘agreeing’ to buy a support package, he offered for payment a ‘fake but valid’ credit card number: that is, one that isn’t associated with a real account, but is correctly formatted according to the format allocated to a real provider. He persuaded the scammer that he might be reading the card details wrong, and offered to send a picture of the card. What he sent, though, was a zipped Javascript file which would download Locky and encrypt the scammer’s files.
I’m not generally in favour of fighting malice with malice, but quite a few researchers who’ve come across this story have been observed trying to conceal an expression of glee, especially as there is no free decrypter for Locky.
Kwiatkowski tells the full story here: How I got tech support scammers infected with Locky
July 15th 2016
Avira: Locky goes offline (by design)
July 13th 2016
F-Secure reports A New High for Locky. Commentary by Graham Cluley: Be Careful In Your Inbox. Massive Locky Ransomware Campaign Underway
July 7th 2016
Fortinet: Cracking Locky’s New Anti-Sandbox Technique
June 29th 2016
BitDefender asks New massive spam wave spreads Locky – is Necurs botnet back? The answer is yes, quite likely…
June 21st 2016
FireEye: LOCKY IS BACK ASKING FOR UNPAID DEBTS
June 10th 2016
Tripwire: Necurs Botnet Goes Quiet, Leads to Drop in Locky and Dridex Activity
June 8th 2016
Diwakar Dinkar for McAfee: Locky Ransomware Hides Under Multiple Obfuscated Layers of JavaScript
May 19th, 2016.
- Lawrence Abrams for Bleeping Computer: Goliath Ransomware for sale on Dark Web – Linked to Jigsaw?
- David Bisson for Graham Cluley’s blog: Ransomware for sale on nonsensical dark web malware site“Everyone knows Locky! Time has come, new ransomare is arrived. Goliath is sell here”.
Comment by F-Secure on hacks disrupting Locky distribution networks: PSA Payload Via Hacked Locky Host [18th May 2016].
Analysis by Malwarebytes: Look Into Locky Ransomware
Analysis by ESET: Analysis of the Locky infection process [4-4-16]
David Bisson reports on Graham Cluley’s blog about the ransomware commonly named Locky because of its use of a ‘.locky’ extension to files it has encrypted. What does a .locky file extension mean? It means you’ve been hit by ransomware
The same story is covered by HelpNet Security: Dridex botnet alive and well, now also spreading ransomware
Both articles refer to analysis by Palo Alto:
Locky: New Ransomware Mimics Dridex-Style Distribution
Paul Ducklin’s article for Sophos tells us about “Locky” ransomware: What you need to know. And John Leyden’s article for The Register also refers: Locky ransomware is spreading like the clap – Feeling Locky, punk? Well, do ya?
A SANS Newsbites newsletter has a number of interesting links to commentary on the Locky ransomware.
By Sabrina Berkenkopf for GData: Encryption Trojan Locky: What you need to know about the ransomware
An article from March 8th 2016 by Tim Ring for SC Magazine – Locky ransomware ‘on the rampage’ globally – is focused on Locky but also collates commentary from sources such as Fortinet and McAfee about how it relates to other major families, notably CryptoWall and TeslaCrypt.
Sorin Mustaca remarks that he’s sick and tired of seeing so many people affected by the current wave of ransomware attacks. He’s not alone there… His article About ransomware, Google malvertising and Fraud is worth reading for the description of how Locky spam may try to convince you to enable macros “if the data encoding is incorrect.” If you need more information, though, Paul Ducklin’s article for Sophos is characteristically informative and insightful: “Locky” ransomware – what you need to know
For ESET, Josep Albors warns Trojan Downloaders on the rise: Don’t let Locky or TeslaCrypt ruin your day.
Checkpoint [5-April-2016] New Locky Ransomware Variant Implementing Changes in Communication Patterns
Palo Alto [8th April 2016] Ransomware: Locky, TeslaCrypt, Other Malware Families Use New Tool To Evade Detection – “…multiple malware samples stood out due to what seemed like obfuscated API calls coming from a dictionary of embedded terms to resolve system functions and hide their true capabilities from commonly used static analysis tools.”
[19th April 2016]
Proofpoint’s analysis of malware they call CryptXXX can be found here: CryptXXX: New Ransomware From the Actors Behind Reveton, Dropping Via Angler. Proofpoint observes that it has seen ‘an Angler EK into Bedep pass pushing both a ransomware payload and Dridex 222. Which may or may not be connected to the fact that Spamfighter has reported that Dridex is implicated in the distribution of ransomware. Spamfighter’s article – Security Researchers Discover Admin Panel of Dridex, Leverage Vulnerability and Hijack Backend – summarizes a report from Buguroo: Report: Analysis of Latest Dridex Campaign Reveals Worrisome Changes and Hints at New Threat Actor Involvement. The Buguroo page suggests that vulnerabilities in the Dridex infrastructure are responsible for its being used to distribute Locky. I haven’t read the full report – it requires registration.
SecurityWeek: Dridex Botnet Spreading Locky Ransomware Via JavaScript Attachments. Cites Trustware: Massive Volume of Ransomware Downloaders being Spammed
McAfee: Locky Ransomware Arrives via Email Attachment
Microsoft: Locky
Bleeping Computer: Locky
[25th April 2016] FireEye: NEW DOWNLOADER FOR LOCKY
[Back to Ransomware Resource Page]
[Back to Specific Ransomware Families and Types]