After hitting a US hospital, cyber security specialists warn that this new strain of ransomware is being aggressively spread to compromise potential victims around the world. Its name: Locky.

You may be lead to think of the Avengers when reading about this new cryptoware type, but this new threat doesn’t come from Asgard.

Locky made its entrance in the cyber crime scene with a bang, after extorting money from a hospital in Hollywood:

The Hollywood Presbyterian Medical Center’s own nightmare started on 5 February, when staff noticed they could not access the network. It was soon determined hackers had locked up those files and wanted 40 Bitcoins (worth around $17,000) for the decryption key required to unlock the machines.

Source: As Ransomware Crisis Explodes, Hollywood Hospital Coughs Up $17,000 In Bitcoin

With their data encrypted and a huge pressure to solve the issue as fast as possible, the hospital’s management decided to pay up, as many ransomware victims do.

The analysis reveals that Locky is closely related to the Dridex gang’s modus operandi, which was email spam campaigns which, at times, even leveraged the good reputation of big brands to achieve a higher infection rate.

Locky ransomware targeting German-speaking victims

Similarly, Locky infections also start with a spam email. Just this morning, cyber security specialists observed a spam run that propagates the new ransomware.

Here are the details of the email:

From: [spoofed / fake return address]

Subject Line: Rechnung 2016-11365

The content is in German and pretends to come from the Mpsmobile Team.

The following infected file comes as an attachment:

The analysis shows that the document is identical to the droppers used in Dridex spam campaigns. This particular document includes macros, which, if activated, will connect the victim’s PC to a malicious web page to download Locky from that location.

This is just one of the various spam campaigns that have been aggressively spreading Locky, but they have all have one thing in common: the series of URLs from which the ransomware downloads and runs its main components. Here is a small list of these malicious websites (sanitized):

http://nautipol [.] es / 2 / 2_6f3f22f0.exe
http://jsteksys [.] com / 4 / 4_b9ffd5c5.exe
http://hazentrumsuedperlach [.] de / 1 / 1_5a0befc0.exe
http://blitz174 [.] ru / system / SMSGate / 7623dh3f.exe

The moment Locky’s main component is run on the machine, the encryption process will automatically begin, affecting all the data files available both locally and on the connected network drives. In the next stage, Locky will connect to a Command & Control server, where it will enroll the affected PC into a botnet.

A small sample of active Locky Command & Control servers are shown below:

http://jbdog [.] IT / main.php
http://kpybuhnosdrm [.] in / main.php
http://luvenxj [.] uk / main.php
http://dkoipg [.] pw / main.php

As all other ransomware families, once the encryption is completed, the victim will be prompted with a blackmail message:


In this particular campaign, cyber criminals established a C & C server with a TOR login functionality (sanitized): https://6dtxgqam4crv6rr6 [.] .

Antivirus detection is low with a rate of only 7/54 on VirusTotal:

locky ransomware full detection virustotal february 18 2016 snippet

Click here for the full infection rates at the time the campaign was analyzed.

Research from Palo Alto Networks shows that the US is the main target, but the campaign presented above is clearly directed to German-speaking countries, so the attackers are definitely expanding their reach.

We observed approximately 446,000 sessions for this threat, over half of which targeted the United States (54%). For comparison, the next most impacted countries, Canada and Australia, only accounted for another nine percent combined.

Source: Locky: New Ransomware Mimics Dridex-Style Distribution

Our advice on protecting yourself from ransomware such as Locky

Getting infected with ransomware is not a minor inconvenience and will make victims feel that they’re completely lost control over their data. It isn’t cheap either! In fact, Sophos researchers said that:

The prices we’ve seen vary from BTC 0.5 to BTC 1.00 (BTC is short for “bitcoin,” where one bitcoin is currently worth about $400/£280).

Source: “Locky” ransomware: What you need to know

So if you want to avoid all the drama, fear, uncertainty and expense that comes with a ransomware infection, you should follow the advice in this guide we put together for you.

As always, the best protection is prevention, and we hope you never have to deal with Locky or other ransomware and their regretful consequences.

* This article features cyber intelligence provided by CSIS Security Group researchers.

What is Ransomware
2017.05.15 SLOW READ

What is Ransomware and 15 Easy Steps To Keep Your System Protected [Updated]

2016.10.05 QUICK READ

Ransomware Decryption Tools – Unlock Your Data for Free

2016.04.01 QUICK READ

Ransomware Distribution: How One Infection Can Go Network-Wide


[…] the victim with the key that can decrypt the blocked content. Examples include CryptoLocker, Locky, CrytpoWall and […]

[…] the victim with the key that can decrypt the blocked content. Examples include CryptoLocker, Locky, CrytpoWall and […]

[…] Ransomware made it way into the scene by extorting money from a hospital in […]

[…] the victim with the key that can decrypt the blocked content. Examples include CryptoLocker, Locky, CrytpoWall and […]

[…] and Locky spam campaigns plummete since 1st of June. It appears one of the world’s largest botnets, […]

[…] In what researchers at Comodo Threat Rersearch Labs say it might be one of the biggest spam ransomware campaigns of this year, Amazon customers are targeted with a massive spear phishing campaign. The recipients receive Microsoft Word documents with a macro that triggers downloads of the Locky ransomware. […]

Good day,

Does anyone have any solution for .locky files ?

Best Regards.


[…] of US federal agencies). With attacks multiplying and new types of encrypting malware coming out (Locky, Petya), CISOs and IT administrators should look beyond the obvious to protect their networks […]

[…] ressemblent plus d’un tiers des victimes. De son côté, Heimdal Security a observé des variantes de pourriels de distribution de Locky rédigées en […]

We were attacked tuesday by this ransomware. 150 Emails spoofed to our mailserver. 149 Mails were blocked by the Barracuda spamfilter. One slipped through and was initialised by a coworker from the saledepartment. In half an hour our fileserver, applicationserver and shared maps on local PC’s was encrypted.
After locating the PC where it all started, we took that one from the network and started to restore everything from the backup. In one hour the fileserver and applicationserver was back working.
Except one local folder with lots of data in that wasn’t on the fileserver was completely destroyed. We succeeded in fixing this as follows.

First we installed RECUVA on this PC and tried to recover the lost map.The fact that the user kept working on it, had as result that most files were’nt recoverable because they were overwritten by cookies and temporary internetfiles. (So when noticing the LOCKY files … stop working)
Windows 7 has shadow files. Too bad those files are corrupt because of the LOCKY virus … but … we were able to recover those files with RECUVA, restore them and start SHADOWEXPLORER and go back 6 days to recover a shadowcopy from the lost data folder. In the end we recovered about 99% of lost files !

But as someone said before …. nothing helps to prevent it so backup, backup and backup …..

[…] we met Locky – and we’re not talking about the Asgardian God of Mischief and Evil. Locky is a new ransomware that made its entrance with a bang: it extorted money from a Hollywood […]

[…] recent ransomware that has been causing damage, called Locky, also enrolls the affected PC into a […]

Leave a Reply

Your email address will not be published. Required fields are marked *

165 queries in 1.169 seconds