FortiGuard Labs Threat Research

Locky Launches a More Massive Spam Campaign with New “Lukitus” Variant

By Joie Salvio, Rommel Joven and Floser Bacurio | August 17, 2017

It has just been a week since the variation of Locky named Diablo6 appeared. Now it has launched another campaign more massive than the previous. This time, it uses “.lukitus”, which means “locking” in Finnish, as the extension for the encrypted files. The FortiGuard Lion Team was the first to discover this variant with the help of Fortinet’s advanced  Kadena Threat Intelligence System (KTIS) (1)

Fig. 1 Encrypted files with .lukitus extension

Fig. 2 Familiar Locky ransom note

Same Locky, More Spam

This new campaign has launched over four times the number of email samples, we have collected from different sources, compared to the previously discovered .diablo6 campaign.

Fig. 3 Spam campaign emails of .lukitus variant

This campaign uses the following email subjects and attachment names:



  Attachment Filename




  {17 numbers}.rar

  Voice Message Attached from {11 numbers} –         name unavailable

  {15 numbers}_{7 numbers}_{6 numbers}.rar


As in the previous campaign, the spam emails distributed in this campaign include an attached archive file (zip or rar) that contains a malicious Javascript or VBS script. Once opened, this attachment downloads the Locky payload. The following screenshot taken from KTIS summarizes this attack chain.

Fig. 4 Infection chain of .lukitus variant

In addition, the attack chain shows that some of the compromised download sites used in the previous campaign are still active, and are now  being used to host this new variant.

Interestingly enough, this campaign seems to have been distributed mostly to Austria. In the previous campaign, Austria and the United States were virtually tied for the top spot.

Fig. 5 Spam distribution of .lukitus variant

Other new items observed in this variant include a change in the C&C’s URI from “/checkupdate.php” to “/imageload.cgi,” and it now uses ‘3’ as its affiliate ID. This affiliate has been observed distributing Locky through spam emails containing an attached compressed Javascript or VBS downloader since last year.


  1. FortiMail blocks all spam emails.
  2. FortiGuard Antivirus service detects Locky samples as W32/GenKryptik.APXF!tr.
  3. FortiGuard Webfilter service blocks and tags all download URLs as malicious.
  4. FortiSandbox rates the Locky samples as High Risk.


This is the first massive Locky campaign that we’ve seen in a few months. Combined with the release of a different variants just the week before, this is starting to look like an ominously familiar cycle.

FortiGuard Lion Team will keep everyone posted.

-= FortiGuard Lion Team =-


Locky Hashes:

[1] Fortinet's Kadena Threat Intelligence System (KTIS) is an interactive platform that extracts contextual information from files, URLs, and other artifacts for more accurate malware identification, fast-tracked analysis, detailed analytics, and easier data correlation.


Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.