Threat Intelligence Brief – September 2017


Locky Ransomware

With the media frenzy of the WannaCry and Petya ransomware events earlier this summer, you’d be forgiven for forgetting about Locky. However, this ransomware variant continues to be a serious threat even a year after its release. Case in point, three major botnet spam campaigns delivered Locky variants in April and August this year. This reinforces the need for increased awareness of Locky and preventative measures.

This month’s Armor Threat Intelligence brief provides an overview of these Locky campaigns and what you can do to protect yourself from its reach.

2017 Locky Botnet Campaign


In April, Locky distributors began using the Netcurs botnet for spam delivery. This first occurrence of a Locky variant in 2017 made use of Word documents embedded inside PDF documents. This technique confuses file sandboxing measures by using Adobe Reader to open the embedded Word document, and then utilizing macros built into Microsoft Word to retrieve and install the malware. Once installed, the malware encrypts the computer’s files with the .osiris extension, and, as ransomware does, demands a payment in Bitcoin to release the files.

Read more on the Osiris campaign


In early August, the first of two new Locky variants began being delivered in a new spam campaign. This variant was initially referred to as IKARUSdilapidated by Comodo Threat Intelligence Lab and encrypted files with a .locky file extension. It was later dubbed Diablo6 as encrypted files began showing the .diablo6 file extension. It’s still unclear if the initial push was a less refined version of the ransomware or a separate version altogether. Regardless, due to similarities in the TTPs  (tactics, techniques and procedures) used, they’re apprised as connected. The TTPs for this version were like those used for Osiris. They leverage the Necurs botnet, employing security avoidance and social engineering. The payload itself uses archive files (i.e. .zip, .rar, .7z) with a VBScript, .vbs, file. Opening the archive file launches the VBScript which downloads the malware.

Read more on the Diablo6 campaign

Read more on the IKARUSdilapidated variant


In mid-August, the second Locky variant emerged. It employs similar techniques to the previous two. The Necurs botnet is still being used along with a combination of embedded/archived files and social engineering. This variant differs in that it encrypts its files with the .lukitus extension and the TTP for delivery includes the use of embedded/archived JavaScript files.

Read more on the Lukitus campaign

The Take-Away

Ransomware is no longer a new phenomenon. The WannaCry and Petya campaigns received special attention due to their use of leaked zero-day vulnerabilities. Locky, however, is old school ransomware, counting on users to open their content and run it. That’s the primary thing to remember, Locky, in its current form, doesn’t get delivered or installed on a system unless the user allows it.

In tandem with user education, here are essential details regarding Locky TTPs :

  • Delivered via email 100% of the time
  • The delivery emails may come from a trusted, compromised or source
  • The file attached to the delivery email has, thus far, been a PDF or an archive file
  • New variants, having unique file hashes, are still being discovered, so antivirus tools don’t always catch them

Having a good backup on-hand is still the best defense/recovery mechanism outside of users not running the malware in the first place

Malicious IPs

The following IPs have been detected and/or reported in association with the most recent Locky ransomware variants. We’ve taken steps to block them from our environment. We highly recommend blocking these IPs until they can be remediated and no longer pose a threat. It’s prudent to heavily scrutinize any communications from your network to these IPs, especially C2 nodes.

NOTE: Patterns or repetition observed in the geolocation of the IPs provided is not intended as attribution toward any one country or threat actor.

IP Attack Signature Geo Location C2 Node Russia C2 Node Russia C2 Node Ukraine C2 Node Ukraine C2 Node Russia Malware host Austria Malware host Netherlands C2 Node Russia C2 Node Russia C2 Node France C2 Node Russia C2 Node Russia C2 Node Ukraine C2 Node Russia C2 Node Russia C2 Node Russia C2 Node Russia C2 Node Germany C2 Node Russia C2 Node Russia

Security News


Criminals have no shame. As has been seen with recent disaster relief efforts, criminals are taking advantage of the media coverage and panic associated with the Equifax brief to scam people with social engineering techniques, including email and phone phishing. See the FTC report for details and recommendations. Also, Equifax will not call to confirm your account details. So, if you receive a call from anyone claiming to be associated with the credit reporting agency, it’s a scam.

Read more


Hopefully, you haven’t grown too tired of Equifax-related news items. If this article is any indication, Equifax’s issues potentially extend far beyond just a software vulnerability. Security researchers covering the breach while also analyzing the available data and Equifax’s public web assets are discovering that Equifax’s web presence has additional security configuration issues.

Read more