locky


While FortiGuard Labs was preparing for another presentation on our Locky research at the Black Alps cyber security conference this coming November in Switzerland, Fortinet’s Kadena Threat Intelligence System (KTIS)1 caught another Locky variant using a new extension – “ykcol” or “locky” spelled backwards. Locky has been stepping up its game over the past few months after going dark during the first half of 2017. Just like the old days, this new variant is distributed through massive volumes of malicious... [Read More]
by RSS Floser Bacurio, Joie Salvio, Rommel Joven and Jasper Manuel  |  Sep 21, 2017  |  Filed in: Security Research
It has just been a week since the variation of Locky named Diablo6 appeared. Now it has launched another campaign more massive than the previous. This time, it uses “.lukitus”, which means “locking” in Finnish, as the extension for the encrypted files. The FortiGuard Lion Team was the first to discover this variant with the help of Fortinet’s advanced  Kadena Threat Intelligence System [1](KTIS) Fig. 1 Encrypted files with .lukitus extension Fig. 2 Familiar Locky ransom note Same Locky, More Spam This... [Read More]
by RSS Joie Salvio, Rommel Joven and Floser Bacurio  |  Aug 17, 2017  |  Filed in: Security Research
We attended the recent VB 2016 conference to present our findings on the development and evolution of Locky ransomware. In that same presentation we also discussed an automation system designed by Fortiguard to extract its configuration and hunt for new variants. Locky-ly (*wink*), while improving the system we couldn’t help but notice another new variant. Actually, aside from the encrypted file name extension change, there are no major developments from the “.odin” variant in this new variant. However, it appears that criminals... [Read More]
by RSS Floser Bacurio Jr. and Joie Salvio  |  Oct 24, 2016  |  Filed in: Security Research
As a result of our continuous monitoring of the Locky ransomeware we discovered a new Locky variant. This variant now appends a “.odin” extension to its encrypted files. This is now the third time that the extension has been changed. Aside from this, in this report we will also examine some of its other minor updates. It’s not Odin. It’s Locky      The transition from “.locky” to “.zepto” extension has caused some confusion to the malware research scene. Due to this update,... [Read More]
by RSS Joie Salvio and Floser Bacurio Jr.  |  Oct 03, 2016  |  Filed in: Security Research
VB 2016 Presentation – Oct 5-7, Denver When we first saw and analyzed Locky back in February, we immediately had a hunch that it was the work of seasoned criminals. The tell-tale signs were strong: massive spam runs were used to spread the ransomware, the malware used domain generation algorithm, the HTTP C2 communication was encrypted (the first version, that is), and the ransomware note was multilingual. The conclusion of our first Locky blog reads: “We also predict that Locky ransomware will be a major player in the ransomware... [Read More]
by RSS Floser Bacurio, Rommel Joven and Roland Dela Paz  |  Sep 30, 2016  |  Filed in: Security Research
Over the last few months we saw that Locky’s loader uses seed parameter to execute properly. This method was probably used to prevent sandboxing, since it will not execute without the correct parameter. Afterwards, we saw Locky shift itself from an EXE to Dynamic Link Library (DLL). We recently encountered yet another Locky development, where binary strains are using the Nullsoft installer package as its loader. In this post we will delve into how to unpack the final binary payload from its Nullsoft package loader. Decompressing Locky’s... [Read More]
by RSS ​​​​​​​Floser Bacurio Jr. and Kenny Yongjian Yang  |  Sep 12, 2016  |  Filed in: Security Research
The last few weeks saw new variants of the Locky ransomware that employs a new anti-sandbox technique. In these new variants, Locky’s loader code uses a seed parameter from its JavaScript downloader in order to decrypt embedded malicious code and execute it properly. For example, the downloaded Locky executable is executed by the JavaScript in the following manner: sample.exe 123 Below is a screenshot of it in action: This new trick may pose challenges for automated Locky tracking systems that utilize sandboxing due to the following... [Read More]
by RSS Floser Bacurio and Roland Dela Paz  |  Jun 30, 2016  |  Filed in: Security Research
FortiGuard Labs uses the data it gathers from its over 2 million security sensors to keep an eye on trends related to ransomware--one of the areas of greatest concern when it comes to cyber security threats today.As a result of this effort, we previously talked about Locky’s rapid rise in prevalence in the first two weeks of its appearance. This time, we have observed yet another new ransomware family – Cerber – to be rapidly gaining prevalence in the wild. We gathered FortiGuard Intrusion Prevention System (IPS) telemetry... [Read More]
by RSS Kenichi Terashita and Roland Dela Paz  |  May 26, 2016  |  Filed in: Security Research
Back when I was in college, I remember one day our class asked our programming professor, “how do we create a virus?” Understandably, our professor refused to answer the question. However, after some persuading, he eventually agreed to give us one example. It looked like this: del C:\\*.* Suddenly, the class was enlightened. More than that, I was personally astounded. How could a single line of code do so much damage?? Fast forward to today, and I am still astounded, perhaps for a slightly different reason. I came to realize... [Read More]
by RSS Roland Dela Paz  |  Apr 12, 2016  |  Filed in: Security Research
If you’ve been listening to the news at all the past couple of weeks, you have undoubtedly heard of a number of companies being affected by ransomware.  The recent surge in this form of cyber attack has many organizations and users understandably concerned. And you should be. Ransomware is nasty stuff. But with some careful preparation, you can significantly lower your risk of being infected, and reduce the impact on you or your organization should you get hit. What is Ransomware? Ransomware is a form of malware that infects devices,... [Read More]
by RSS Bill McGee  |  Apr 06, 2016  |  Filed in: Industry Trends