In the past 7 days, we’ve seen a massive surge in malicious campaigns aiming to spread Locky ransomware to as many computers as possible.

Not only are the campaigns more frequent, but they’re also large scale and use infection vectors that are new for this ransomware family: fake Flash Player update sites and SVG images in messages sent through Facebook Messenger.

What’s more, Locky recently changed the extension it uses for encrypted files to .aesir (which refers to a category of Norse gods). While we do love Norse mythology (as you can tell from our name), we completely disapprove of what attackers are doing with these symbols and people’s data.

This latest Locky campaign sent millions of spam emails to random recipients in companies from all over the world.

The subject line tricks Internet users into clicking by using the following subject line (which includes a few variations):

Subject Line: (% Document% |% Photosmart% |% Scan%) from office


The email has an attached archive that includes a .vbs file (Visual Basic Script). When run, the malicious file will fetch Locky from a big batch of compromised websites, including the ones below (sanitized for your safety):

http://cufarulculenjerii [.] ro / 988gd4
http://mospi [.] ru / 988gd4
http://mvp-sp11 [.] ru / 988gd4
http://newday-inc [.] com / 988gd4
http://newlifecamp [.] bravepages [.] com / 988gd4
http://nhadatok [.] com / 988gd4
http://ocioclick [.] es / 988gd4
http://odzs [.] cz / 988gd4
http://olgiatalife [.] IT / 988gd4
http://palsiraj [.] org / 988gd4
http://pannon-retro [.] com / 988gd4
http://rollkons [.] lv / 988gd4

That VBS script retrieves Locky in an obfuscated form, to avoid detection. It does so by applying an XOR with the following value: “M7meLUMMVmEaR2eHds9aMc04MzRpdZmV”.

The payload is then decoded locally and run on the system under the prerogatives of the logged-in user.
The encrypting malware then goes on to connect to a number of hard-coded IP addresses whose purpose is to enroll the affected computer into a botnet:

http://95.46.114 [.] 205 / information.cgi
http://94.242.55 [.] 81 / information.cgi
http://80.87.202 [.] 49 / information.cgi

If none of the hard-coded IP addresses are available, Locky will fall back on its built-in DGA (Domain Generation Algorithm). For a short while, this will mean that the following C&Cs will be used as a failover:

http://ghaapfjehrjuuwex [.] pl / information.cgi
http://wajbybkasd [.] su / information.cgi
http://kerfsbsrsdiqlobox [.] click / information.cgi
http://doakqyc [.] biz / information.cgi
http://qwboftw [.] su / information.cgi
http://ikbjdclqadoai [.] xyz / information.cgi
http://aarmkgw [.] ru / information.cgi
http://wifjrnhmhcnplta [.] click / information.cgi
http://dpmtlqndkq [.] pl / information.cgi
http://jvbbuowmklejsiqsf [.] org / information.cgi
http://gjwfccqk [.] info / information.cgi
http://dhmpxbtaby [.] pl / information.cgi

We always emphasize that protecting against ransomware requires multiple layers, because, in this case, antivirus detection is very low, with only 8/54 providers currently detecting this campaign:


Locky has come a long way from when it first started and it has become one of the most menacing ransomware families on the Internet today.

Although there is a swarm of decryption tools available for other types of encrypting malware, Locky remains unbreakable, constantly changing its code to evade detection and block decryption by cybersecurity specialists.

The best safeguard is having at least 2 backups of your data and really understanding what ransomware can do. Our dedicated guide will give you a better grasp on this threat and a short list of security measured that can really make a difference for your data protection.

*This article features cyber intelligence provided by CSIS Security Group researchers.

What is Ransomware – 15 Easy Steps To Protect Your System [Updated 2020]

Analysis: How Malware Creators Use Spam To Maximize Their Impact

Practical Online Protection: Where Malware Hides


Leave a Reply

Your email address will not be published. Required fields are marked *