While FortiGuard Labs was preparing for another presentation on our Locky research at the Black Alps cyber security conference this coming November in Switzerland, Fortinet’s Kadena Threat Intelligence System (KTIS)1 caught another Locky variant using a new extension – “ykcol” or “locky” spelled backwards.
Locky has been stepping up its game over the past few months after going dark during the first half of 2017. Just like the old days, this new variant is distributed through massive volumes of malicious spam email campaigns, which are usually named after the extension the variant uses for encryption. In this case, it uses “ykcol”.
Fig 1. Encrypted files with ‘.ykcol’ extension
Multiple Spam Waves
With the data collected from KTIS, we identified multiple spam waves of this new variant over the past three days. In fact, as we are writing this article new waves are still being discovered in our system which have similar behavior to previous spam waves. The table below shows a comparison between these waves.
Table 1. Comparison of the spam waves
The following generalizations can be made based on this data:
- Emails in the same wave have the same email subject and attachment filename format. (Except for the 5th wave, that had two sets of email subjecst and attachments)
- Each wave has its own set of different compromised hosts appended with the same URI. (see IOC for full list of related URLs)
- At the same point in time, compromised URLs in the same wave lead to the same locky sample when downloaded.
- A wave can deliver Locky samples with either online or offline encryption. Locky samples coming from the same wave that are capable of online encryption use the same C&C servers.
- All Locky samples analyzed in this campaign were distributed with an affiliate ID: 3. This affiliate has been observed distributing Locky through spam emails containing an attached compressed JS or VBS downloader since last year.
- Two spam waves were delivered per day.
Another interesting observation is about the email subject “Message from km_c224e” from the second wave. This same subject was also used in other malware campaigns delivering Dridex and Jaff Ransomware, which implies that one group may be responsible for these distributions.
As always, in an attempt to evade traditional signature detections, threat actors behind Locky repack and rehash the samples regularly.
Fig 2. Malicious URL leads to different “.ykcol” samples
Feedback from our Fortinet systems show that United States is the top affected country. This data only reflects the number of visits to Locky’s C&C’s, which means that the variants with offline decryption were not included in these statistics.
Fig 3. Top countries affected by Locky with online encryption
Aside from the filename extension change, Locky aligned the price for decryption with the increasing price of bitcoin. From the previous ransom of 0.5 BTC, they are now asking for 0.25BTC or ~1000USD.
Fig 4. Locky decryptor priced at 0.25BTC
Here is the updated list of all Locky extensions seen so far.
Table 2. List of Locky extensions
- FortiMail blocks all spam emails.
- FortiGuard Antivirus service detects Locky(.ykcol) samples as W32/Locky.FWSD!tr.ransom.
- FortiGuard Webfilter service blocks and tags all download URLs as malicious.
- FortiSandbox rates the Locky samples as High Risk
Despite a few minor alterations, Locky is still the same dangerous ransom malware from a year ago. It has the capabilities and distribution network necessary to cause significant damage to any system unfortunate enough to be hit by it.
Over the past few months, we have seen it distributing massive spam campaigns and we don’t see it slowing down any time soon.
-= FortiGuard Lion Team =-
c674da5f1c063a0bec896d03492620ac94687e7687a1b91944d93c1d6527c8a7 21e182165b2e928062ff417a0d3f089925d42251486d2777883bbe3d703566e3 3ebb3c50ea81e6897f130cd5582981ca6ee0a5432ebfe85fa522dc25fc462aaf 8bf303dda84a1e0552f98370dd5dbfdf127d7ec9b5caab948874a897771ce142 24b29b6c856f24b4385b8aefedada88cb3aebf88b29b90348a928d8bae5c7cc2 942e275de833c747d0f8a5ebe519c62157c1136cbf467d079d7f84890018aa84 f2afa33f6ffeb62d0280f389c21a7dc61e6cbf7a826c7af4ffccf4fc1a354918 049dd2344e04dd47516a390dc07d4aa359dda46cfa30cfc6eed46993dc628096 d1b8b8c6cce9175c844875a68b61e50107cd7b5d5c6ac2ec76dbb3b06ed727f8 f8e7dde2601ebeb7e30af4c54016223f1c42298176e1f2f5c4945ca6b8b88317 99a07f1d83c5a7f613f7915ad390decb2803868658b4b027a0bdcd9ca2a6f2c7 ece3de389dbe55f0810bbc2ee8f86e257af852e8817ade55afa2e02e0bac2db4 614bfea6b81f56b59bd0f2222b65b57571796245a7886a8e31be8a3ccd0e5617 da386efced7535a1262ae9ede6988e27bdc6fca3411da14e6db02158aa37a5c9 59ec54fb9b1d3415b54558977e3640b81bb3ebebdb61af3fc772e308c6b8eb3a 302aabfec6b1696e3019699d6367e4ac9e57037aec6237d9b263ba9a8fbe3418
URL Download of Locky:
hxxp://miliaraic.ru/p66/87thiuh3gfDGS hxxp://troyriser.com/87thiuh3gfDGS hxxp://yildizmakina74.com/87thiuh3gfDGS hxxp://unifiedfloor.com/87thiuh3gfDGS hxxp://w4fot.com/87thiuh3gfDGS hxxp://web-ch-team.ch/87thiuh3gfDGS hxxp://saitis.eu/87thiuh3gfDGS hxxp://grovecreative.co.uk/87thiuh3gfDGS hxxp://www.elitecommunications.co.uk/87thiuh3gfDGS hxxp://cedipsa.com/87thiuh3gfDGS hxxp://abelfaria.pt/87thiuh3gfDGS hxxp://lanzensberger.de/87thiuh3gfDGS hxxp://pielen.de/87thiuh3gfDGS hxxp://qstom.com/87thiuh3gfDGS hxxp://targeter.su/p66/DKndhFG72 hxxp://wiskundebijles.nu/DKndhFG72 hxxp://lasdamas.com/DKndhFG72 hxxp://v-chords.de/DKndhFG72 hxxp://petromarket.ir/DKndhFG72 hxxp://accountingservices.apec.org/DKndhFG72 hxxp://autoecoleeurope.com/DKndhFG72 hxxp://dmlex.adlino.be/DKndhFG72 hxxp://wenger-werkzeugbau.de/DKndhFG72 hxxp://cornyproposals.com/DKndhFG72 hxxp://autoecolekim95.com/DKndhFG72 hxxp://pnkparamount.com/DKndhFG72 hxxp://montecortelhas.com/DKndhFG72 hxxp://walkama.net/DKndhFG72 hxxp://georginabringas.com/DKndhFG72 hxxp://eurecas.org/DKndhFG72 hxxp://demopowerindo.com/DKndhFG72 hxxp://asiaresearchcenter.org/JGHldb03m hxxp://bnphealthcare.com/JGHldb03m hxxp://conxibit.com/JGHldb03m hxxp://cxwebdesign.de/JGHldb03m hxxp://diakoniestation-winnenden.de/JGHldb03m hxxp://download.justowin.it/JGHldb03m hxxp://ecofloraholland.nl/JGHldb03m hxxp://felixsolis.mobi/JGHldb03m hxxp://foodbikers.ch/JGHldb03m hxxp://gui-design.de/JGHldb03m hxxp://highpressurewelding.co.uk/JGHldb03m hxxp://housecafe-essen.de/JGHldb03m hxxp://ycgrp.jp/JGHldb03m hxxp://arsmakina.org/JGHldb03m hxxp://g-peer.at/JGHldb03m hxxp://teracom.co.id/JGHldb03m hxxp://globalmitrateknik.com/y873fhn3iur hxxp://hkwatercolors.com/y873fhn3iur hxxp://slbjuris.fr/y873fhn3iur hxxp://dealer.my-beads.nl/y873fhn3iur hxxp://lowlender.com/y873fhn3iur hxxp://mebel.wladimir.ru/y873fhn3iur hxxp://land-atlanta.net/y873fhn3iur hxxp://keener-music.com/y873fhn3iur hxxp://hydrodesign.net/y873fhn3iur hxxp://edificioviacapital.com.br/y873fhn3iur hxxp://dkck.com.tw/y873fhn3iur hxxp://countryhome.dmw123.com/y873fhn3iur hxxp://pyefittedfurniture.co.uk/RSkfsNR7 hxxp://digiviews.co.uk/RSkfsNR7 hxxp://hard-grooves.com/RSkfsNR7 hxxp://hellonwheelsthemovie.com/RSkfsNR7 hxxp://ryterorrephat.info/af/RSkfsNR7 hxxp://rockrak.com/RSkfsNR7 hxxp://viwa.homelinux.com/RSkfsNR7 hxxp://mariamandrioli.com/RSkfsNR7 hxxp://188.8.131.52/RSkfsNR7 hxxp://wilvreeburg.nl/RSkfsNR7 hxxp://9ninewright.net/slehGTexc hxxp://PamelaSparrowChilds.com/slehGTexc hxxp://teck.fr/slehGTexc hxxp://weddingcarsbury.co.uk/slehGTexc hxxp://a-host.co.uk/slehGTexc hxxp://ryterorrephat.info/af/slehGTexc hxxp://adaliyapi.com/slehGTexc hxxp://121-psychic-reading.co.uk/slehGTexc hxxp://weddingcarsrochdale.co.uk/slehGTexc hxxp://2-wave.com/slehGTexc hxxp://3e.com.pt/slehGTexc hxxp://4advice-interactive.be/slehGTexc hxxp://rasbery.co.uk/slehGTexc hxxp://ahtwindowcleaning.co.uk/slehGTexc hxxp://robinsonfun.pl/slehGTexc
 Fortinet's Kadena Threat Intelligence System (KTIS) is an interactive platform that extracts contextual information from files, URLs, and other artefacts for more accurate malware identification, fast-tracked analysis, detailed analytics, and easier data correlation.
Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.