Results for Locky

Threat Research

Black Alps 2017 Wrap Up

Black Alps 2017 was an inaugural Cyber Security Conference held last November 13 at Y-Parc, Yverdon-les-Bains, Switzerland. With support from previous cyber security events, such as CyberSec Conference and Application Security Forum - Western Switzerland, there is no doubt that Black Alps 2017 is headed for success. The conference lasted for two days, and aimed to discuss the latest threats, mitigations, and advances in cyber security.

By Rommel Abraham D JovenNovember 22, 2017

Industry Trends

Why ICSA Advanced Threat Defense for Email is So Important

Verizon’s 2017 Data Breach Investigations Report found that two-thirds (66%) of all installed malware that successfully made its way past established defenses were delivered by email.  This is particularly concerning as our weekly FortiGuard Labs Threat Intelligence Brief lists ransomware downloaders –typically delivered via email – as consistently among the top 5 pieces of malware in most weeks. {Update chart and excerpt closer to publication date} The reality is that while brand new attacks like WannaCry and Petya...

By David FingerOctober 27, 2017

Threat Research

Locky Unleashes Multiple Spam Waves with a New Variant “ykcol“

While FortiGuard Labs was preparing for another presentation on our Locky research at the Black Alps cyber security conference this coming November in Switzerland, Fortinet’s Kadena Threat Intelligence System (KTIS)1 caught another Locky variant using a new extension – “ykcol” or “locky” spelled backwards. Locky has been stepping up its game over the past few months after going dark during the first half of 2017. Just like the old days, this new variant is distributed through massive volumes of malicious...

Threat Research

Locky Launches a More Massive Spam Campaign with New “Lukitus” Variant

It has just been a week since the variation of Locky named Diablo6 appeared. Now it has launched another campaign more massive than the previous. This time, it uses “.lukitus”, which means “locking” in Finnish, as the extension for the encrypted files. The FortiGuard Lion Team was the first to discover this variant with the help of Fortinet’s advanced  Kadena Threat Intelligence System [1](KTIS) Fig. 1 Encrypted files with .lukitus extension Fig. 2 Familiar Locky ransom note Same Locky, More Spam This...

Threat Research

Locky Strikes Another Blow, Diablo6 Variant Starts Spreading Through Spam

A few days ago, while scouring through Fortinet’s Kadena Threat Intelligence System (KTIS), we found an emerging spam campaign. Initially, it was the scale that caught our attention, and then it got a lot more interesting when the payload was found out to be a new variant of the infamous Locky.

Threat Research

A Closer Look at Sage 2.0 Ransomware along with Wise Mitigations

Sage 2.0 is the new kid on an already crowded block of ransomware, demanding hefty ransom of 2.22188 bitcoins (roughly 2000 USD) per infection. We have recently begun seeing this malware being distributed by the same malicious spam campaigns that serve better-known ransomware families, such as Cerber and Locky. In this article we will take a closer look at some notable characteristics of this new threat, and provide some simple ways to mitigate it. Spam Campaign Sage ransomware has been seen spreading through the usual spam email channels...

Threat Research

PC Locker - A New Survey Locker in the Wild

A lot of people, located around the world, have been infected with ransomware - a type of malware that encrypts computer files and demands payment to have them unlocked. Some professionally written ransomware has been so financially successful for their authors, such as Locky and Cerber, that many others have begun to emerge to take a piece of the pie. The researchers of the ART team at Fortinet have recently discovered a new malware. While it still locks the user's computer and demands they follow instructions to have it unlocked, this time...

By Sarah (Qi) Wu and Donna Wang November 14, 2016

Threat Research

Locky Happens: Notorious Ransomware Leaves an Unpleasant Trace

We attended the recent VB 2016 conference to present our findings on the development and evolution of Locky ransomware. In that same presentation we also discussed an automation system designed by Fortiguard to extract its configuration and hunt for new variants. Locky-ly (*wink*), while improving the system we couldn’t help but notice another new variant. Actually, aside from the encrypted file name extension change, there are no major developments from the “.odin” variant in this new variant. However, it appears that criminals...

Threat Research

The Locky Saga Continues: Now Uses .odin as File Extension

As a result of our continuous monitoring of the Locky ransomeware we discovered a new Locky variant. This variant now appends a “.odin” extension to its encrypted files. This is now the third time that the extension has been changed. Aside from this, in this report we will also examine some of its other minor updates. It’s not Odin. It’s Locky      The transition from “.locky” to “.zepto” extension has caused some confusion to the malware research scene. Due to this update,...

Threat Research

We’re Up All Night to Get Locky

VB 2016 Presentation – Oct 5-7, Denver When we first saw and analyzed Locky back in February, we immediately had a hunch that it was the work of seasoned criminals. The tell-tale signs were strong: massive spam runs were used to spread the ransomware, the malware used domain generation algorithm, the HTTP C2 communication was encrypted (the first version, that is), and the ransomware note was multilingual. The conclusion of our first Locky blog reads: “We also predict that Locky ransomware will be a major player in the ransomware...