locky


Black Alps 2017 was an inaugural Cyber Security Conference held last November 13 at Y-Parc, Yverdon-les-Bains, Switzerland. With support from previous cyber security events, such as CyberSec Conference and Application Security Forum - Western Switzerland, there is no doubt that Black Alps 2017 is headed for success. The conference lasted for two days, and aimed to discuss the latest threats, mitigations, and advances in cyber security. [Read More]
by RSS Rommel Abraham D Joven  |  Nov 22, 2017  |  Filed in: Security Research
Verizon’s 2017 Data Breach Investigations Report found that two-thirds (66%) of all installed malware that successfully made its way past established defenses were delivered by email.  This is particularly concerning as our weekly FortiGuard Labs Threat Intelligence Brief lists ransomware downloaders –typically delivered via email – as consistently among the top 5 pieces of malware in most weeks. {Update chart and excerpt closer to publication date} The reality is that while brand new attacks like WannaCry and Petya... [Read More]
by RSS David Finger  |  Oct 27, 2017  |  Filed in: Industry Trends
While FortiGuard Labs was preparing for another presentation on our Locky research at the Black Alps cyber security conference this coming November in Switzerland, Fortinet’s Kadena Threat Intelligence System (KTIS)1 caught another Locky variant using a new extension – “ykcol” or “locky” spelled backwards. Locky has been stepping up its game over the past few months after going dark during the first half of 2017. Just like the old days, this new variant is distributed through massive volumes of malicious... [Read More]
by RSS Floser Bacurio, Joie Salvio, Rommel Joven and Jasper Manuel  |  Sep 21, 2017  |  Filed in: Security Research
It has just been a week since the variation of Locky named Diablo6 appeared. Now it has launched another campaign more massive than the previous. This time, it uses “.lukitus”, which means “locking” in Finnish, as the extension for the encrypted files. The FortiGuard Lion Team was the first to discover this variant with the help of Fortinet’s advanced  Kadena Threat Intelligence System [1](KTIS) Fig. 1 Encrypted files with .lukitus extension Fig. 2 Familiar Locky ransom note Same Locky, More Spam This... [Read More]
by RSS Joie Salvio, Rommel Joven and Floser Bacurio  |  Aug 17, 2017  |  Filed in: Security Research
We attended the recent VB 2016 conference to present our findings on the development and evolution of Locky ransomware. In that same presentation we also discussed an automation system designed by Fortiguard to extract its configuration and hunt for new variants. Locky-ly (*wink*), while improving the system we couldn’t help but notice another new variant. Actually, aside from the encrypted file name extension change, there are no major developments from the “.odin” variant in this new variant. However, it appears that criminals... [Read More]
by RSS Floser Bacurio Jr. and Joie Salvio  |  Oct 24, 2016  |  Filed in: Security Research
As a result of our continuous monitoring of the Locky ransomeware we discovered a new Locky variant. This variant now appends a “.odin” extension to its encrypted files. This is now the third time that the extension has been changed. Aside from this, in this report we will also examine some of its other minor updates. It’s not Odin. It’s Locky      The transition from “.locky” to “.zepto” extension has caused some confusion to the malware research scene. Due to this update,... [Read More]
by RSS Joie Salvio and Floser Bacurio Jr.  |  Oct 03, 2016  |  Filed in: Security Research
VB 2016 Presentation – Oct 5-7, Denver When we first saw and analyzed Locky back in February, we immediately had a hunch that it was the work of seasoned criminals. The tell-tale signs were strong: massive spam runs were used to spread the ransomware, the malware used domain generation algorithm, the HTTP C2 communication was encrypted (the first version, that is), and the ransomware note was multilingual. The conclusion of our first Locky blog reads: “We also predict that Locky ransomware will be a major player in the ransomware... [Read More]
by RSS Floser Bacurio, Rommel Joven and Roland Dela Paz  |  Sep 30, 2016  |  Filed in: Security Research
Over the last few months we saw that Locky’s loader uses seed parameter to execute properly. This method was probably used to prevent sandboxing, since it will not execute without the correct parameter. Afterwards, we saw Locky shift itself from an EXE to Dynamic Link Library (DLL). We recently encountered yet another Locky development, where binary strains are using the Nullsoft installer package as its loader. In this post we will delve into how to unpack the final binary payload from its Nullsoft package loader. Decompressing Locky’s... [Read More]
by RSS ​​​​​​​Floser Bacurio Jr. and Kenny Yongjian Yang  |  Sep 12, 2016  |  Filed in: Security Research
The last few weeks saw new variants of the Locky ransomware that employs a new anti-sandbox technique. In these new variants, Locky’s loader code uses a seed parameter from its JavaScript downloader in order to decrypt embedded malicious code and execute it properly. For example, the downloaded Locky executable is executed by the JavaScript in the following manner: sample.exe 123 Below is a screenshot of it in action: This new trick may pose challenges for automated Locky tracking systems that utilize sandboxing due to the following... [Read More]
by RSS Floser Bacurio and Roland Dela Paz  |  Jun 30, 2016  |  Filed in: Security Research
FortiGuard Labs uses the data it gathers from its over 2 million security sensors to keep an eye on trends related to ransomware--one of the areas of greatest concern when it comes to cyber security threats today.As a result of this effort, we previously talked about Locky’s rapid rise in prevalence in the first two weeks of its appearance. This time, we have observed yet another new ransomware family – Cerber – to be rapidly gaining prevalence in the wild. We gathered FortiGuard Intrusion Prevention System (IPS) telemetry... [Read More]
by RSS Kenichi Terashita and Roland Dela Paz  |  May 26, 2016  |  Filed in: Security Research