Threat Research

We’re Up All Night to Get Locky

By Floser Bacurio, Rommel Joven and Roland Dela Paz | September 30, 2016

VB 2016 Presentation – Oct 5-7, Denver

When we first saw and analyzed Locky back in February, we immediately had a hunch that it was the work of seasoned criminals. The tell-tale signs were strong: massive spam runs were used to spread the ransomware, the malware used domain generation algorithm, the HTTP C2 communication was encrypted (the first version, that is), and the ransomware note was multilingual. The conclusion of our first Locky blog reads:

“We also predict that Locky ransomware will be a major player in the ransomware scene. Fortinet will continue to monitor developments regarding this malware”.

As predicted, Locky has become a major ransomware menace. But as we promised ,we’ve also kept an eye on the threat for any developments. To say this has been an easy task would be a lie. But we've come too far to give up what we started – so we’ve decided to raise the bar and share even more information about Locky!

We will be presenting our findings at the upcoming Virus Bulletin 2016 Conference being held in Denver, Colorado on October 5-7. Our presentation is titled “Locky Strike: Smoking the Locky Ransomware Code”, and in it we will share the results of our continuous effort at tracking the Locky ransomware. We will talk about Locky’s prevalence, provide a technical analysis, and review its development timeline. We will also demo our approach in automating Locky intelligence collection, which has enabled us to effectively keep track of Locky’s developments over time. Below is an overview of these developments:

Figure 1. Locky Development Timeline

If you want to know more about Locky, our presentation time slot is on Friday, 7 October 09:30 - 10:00, Green room. Are you ready to get Locky? We are. See you there!

-= FortiGuard Lion Team =-


You can read more about Locky in our previous blogs below: