In the past 7 days, we’ve seen a massive surge in malicious campaigns aiming to spread Locky ransomware to as many computers as possible.

Not only are the campaigns more frequent, but they’re also large scale and use infection vectors that are new for this ransomware family: fake Flash Player update sites and SVG images in messages sent through Facebook Messenger.

What’s more, Locky recently changed the extension it uses for encrypted files to .aesir (which refers to a category of Norse gods). While we do love Norse mythology (as you can tell from our name), we completely disapprove of what attackers are doing with these symbols and people’s data.

This latest Locky campaign sent millions of spam emails to random recipients in companies from all over the world.

The subject line tricks Internet users into clicking by using the following subject line (which includes a few variations):

Subject Line: (% Document% |% Photosmart% |% Scan%) from office


The email has an attached archive that includes a .vbs file (Visual Basic Script). When run, the malicious file will fetch Locky from a big batch of compromised websites, including the ones below (sanitized for your safety):

http://cufarulculenjerii [.] ro / 988gd4
http://mospi [.] ru / 988gd4
http://mvp-sp11 [.] ru / 988gd4
http://newday-inc [.] com / 988gd4
http://newlifecamp [.] bravepages [.] com / 988gd4
http://nhadatok [.] com / 988gd4
http://ocioclick [.] es / 988gd4
http://odzs [.] cz / 988gd4
http://olgiatalife [.] IT / 988gd4
http://palsiraj [.] org / 988gd4
http://pannon-retro [.] com / 988gd4
http://rollkons [.] lv / 988gd4

That VBS script retrieves Locky in an obfuscated form, to avoid detection. It does so by applying an XOR with the following value: “M7meLUMMVmEaR2eHds9aMc04MzRpdZmV”.

The payload is then decoded locally and run on the system under the prerogatives of the logged-in user.
The encrypting malware then goes on to connect to a number of hard-coded IP addresses whose purpose is to enroll the affected computer into a botnet:

http://95.46.114 [.] 205 / information.cgi
http://94.242.55 [.] 81 / information.cgi
http://80.87.202 [.] 49 / information.cgi

If none of the hard-coded IP addresses are available, Locky will fall back on its built-in DGA (Domain Generation Algorithm). For a short while, this will mean that the following C&Cs will be used as a failover:

http://ghaapfjehrjuuwex [.] pl / information.cgi
http://wajbybkasd [.] su / information.cgi
http://kerfsbsrsdiqlobox [.] click / information.cgi
http://doakqyc [.] biz / information.cgi
http://qwboftw [.] su / information.cgi
http://ikbjdclqadoai [.] xyz / information.cgi
http://aarmkgw [.] ru / information.cgi
http://wifjrnhmhcnplta [.] click / information.cgi
http://dpmtlqndkq [.] pl / information.cgi
http://jvbbuowmklejsiqsf [.] org / information.cgi
http://gjwfccqk [.] info / information.cgi
http://dhmpxbtaby [.] pl / information.cgi

We always emphasize that protecting against ransomware requires multiple layers, because, in this case, antivirus detection is very low, with only 8/54 providers currently detecting this campaign:


Locky has come a long way from when it first started and it has become one of the most menacing ransomware families on the Internet today.

Although there are a swarm of decryption tools available for other types of encrypting malware, Locky remains unbreakable, constantly changing its code to evade detection and block decryption by cyber security specialists.

The best safeguard is having at least 2 backups of your data and really understanding what ransomware can do. Our dedicated guide will give you a better grasp on this threat and a short list of security measured that can really make a difference for your data protection.

*This article features cyber intelligence provided by CSIS Security Group researchers.

What is Ransomware
2017.05.15 SLOW READ

What is Ransomware and 15 Easy Steps To Keep Your System Protected [Updated]

2016.10.27 SLOW READ

Practical Online Protection: Where Malware Hides

How Malware Creators Use Spam
2015.10.22 SLOW READ

Analysis: How Malware Creators Use Spam to Maximize Their Impact


Leave a Reply

Your email address will not be published. Required fields are marked *

168 queries in 1.187 seconds