Threat Research

Locky Happens: Notorious Ransomware Leaves an Unpleasant Trace

By Floser Bacurio Jr. and Joie Salvio | October 24, 2016

We attended the recent VB 2016 conference to present our findings on the development and evolution of Locky ransomware. In that same presentation we also discussed an automation system designed by Fortiguard to extract its configuration and hunt for new variants. Locky-ly (*wink*), while improving the system we couldn’t help but notice another new variant.

Actually, aside from the encrypted file name extension change, there are no major developments from the “.odin” variant in this new variant. However, it appears that criminals have no boundaries regarding being rude, but we still felt compelled to post a short article about it. That being said, in light of the naming protocol to name previous versions, don’t even think about naming this new variant based on its new encrypted file name extension – “.shit”.

Figure 1: Encrypted File uses “.shit” Extension

This variant also takes a taunting approach by using “/linuxsucks.php” as its URL. Aside from this, it has also changed the filename of its ransomware n


Table 1: Ransomware Note Filename Changes

Take away

With the continuous development of Locky, it is now considered to be one of the top malware families in terms of infection effectivity. In this regard, Fortiguard will continue to monitor this notorious ransomware family.

On a less serious note, we also realized how indecent these criminals can be.

-=Fortiguard Lion Team=-

IOCs

695e42426d244733310d4782a5b9f2111e7b48504a89d1ea35ff5180c5f30a05 – W32/Filecoder_Locky.C!tr

7ec3e667d3ed388edda5f940dcf9c18395b223dd793c191ee8640ecf3b300da5 - W32/Filecoder_Locky.C!tr

{directory}\_{number}_WHAT_is.html

{Filename(alpha numeric characters)}.shit