{"id":2446,"date":"2024-09-25T18:15:52","date_gmt":"2024-09-25T18:15:52","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2446"},"modified":"2025-07-29T03:44:21","modified_gmt":"2025-07-29T03:44:21","slug":"locky-emerges-out-of-hibernation-hits-20-million-mailboxes","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/locky-emerges-out-of-hibernation-hits-20-million-mailboxes\/","title":{"rendered":"Locky emerges out of hibernation, hits 20 million mailboxes"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Version:1.0 StartHTML:000000289 EndHTML:000019321 StartFragment:000007098 EndFragment:000019253 StartSelection:000007098 EndSelection:000019249 SourceURL:https:\/\/www.lmntrix.com\/Lab\/Lab_info.php?id=71&url=Locky%20emerges%20out%20of%20hibernation,%20hits%2020%20million%20mailboxes LMNTRIX Labs LMNTRIX Labs<\/p>\n\n\n\n

After disappearing for months, Locky ransomware is back\u2026 and in force. The strain first made headlines in February 2016 when a US medical centre paid a US$17,000<\/a> bitcoin ransom to retrieve patient data \u2013 operators said paying the ransom was the quickest way to resume caring for patients.  

In this latest campaign, Locky is primarily being distributed via email as a word document invoice. In just one day last month, more than 20 million phishing emails<\/a> suddenly appeared, flooding inboxes with the ransomware. 

Delivery: <\/strong>The following table shows a list of malicious domains from which the Locky ransomware has been downloaded: <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 1 Malicious domain which downloads Locky ransomware<\/em>

Security researchers have observed a number of distribution methods, the most popular of which has been an email phishing campaign:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 2 Malicious Email Attachment<\/em>

This email attachment contains a zip file in which a Visual Basic Script (VBS) file is hidden. Once clicked, the victim downloads the latest Locky ransomware. The actual contact point for downloading the latest Locky sample is greatesthits(.)mygoldmusic(.)com \u2013 a known malware site, as shown below:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 3 VT hits for malicious domain<\/em>

Further analysis on the same domain shows it is linked to at least half a dozen malware samples:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 4 Latest Locky samples from greatesthits mygold music (malicious domain)<\/em>

In addition to the malicious Word document, we have also seen a fake Dropbox account verification email used to distribute the malware. Upon clicking the link, the victim is directed to a spoofed Dropbox page. The user is told their account cannot be verified:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 5 Fake Dropbox page<\/em>

Below are the Virus Total hits for the fake Dropbox URL:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 6 Fake Dropbox url (VT hits for malicious url)<\/em>

The user is then told to download a javascript file. If the user opens this js file, their machine is locked with Locky ransomware.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 7 Downloading file<\/em>

Infection \u2013 Behavioural Analysis:<\/strong>

MD5: 6480fc6b8c2d76965520d5184b5190a1

File type\/size: VBS file\/43 KB.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

This script drops the ransomware and associated files: C44DEDDA.exe, csrss.exe, 814C2B0A.exe, 0208oi[1].exe and rad8D858.tmp. We then executed these files in our controlled environment:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 8 Execution of malicious files<\/em>

All these files seek open ports and create new run entries:<\/p>\n\n\n\n

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run “Client Server Runtime Subsystem”
        Type: REG_SZ
        Data: “C:\\Documents and Settings\\All Users\\Application Data\\Windows\\csrss.exe”
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run “CSRSS”
        Type: REG_SZ
        Data: “C:\\Documents and Settings\\All Users\\Application Data\\Drivers\\csrss.exe”
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run “NetworkSubsystem”
        Type: REG_SZ
        Data: “C:\\Documents and Settings\\All Users\\Application Data\\Csrss\\csrss.exe”
These new run entries allow Locky to keep persistence as each is copied into a separate location under the file name csrss.exe.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n


<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 9 csrss.exe created in %appdata% location<\/em>

In the memory strings, we found the following router list details:

\u2022    router_purpose_to_string

\u2022    router_get_all_orports

\u2022    D27178388FA75B96D37FA36E0B015227DDDBDA51

\u2022    B59F6E99C575113650C99F1C425BA7B20A8C071D

\u2022    A61682F34B9BB9694AC98491FE1ABBFE61923941

\u2022    9DCD8E3F1DD1597E2AD476BBA28A1A89F3095227

\u2022    9904B52336713A5ADCB13E4FB14DC919E0D45571

\u2022    98CC82342DE8D298CF99D3F1A396475901E0D38E

\u2022    87326329007AF781F587AF5B594E540B2B6C7630

\u2022    57B85409891D3FB32137F642FDEDF8B7F8CDFDCD

\u2022    0E7E9C07F0969D0468AD741E172A6109DC289F3C

\u2022    09CD84F751FD6E955E0F8ADB497D5401470D697E

\u2022    download_status_reset_by_sk_in_cl

\u2022    routerlist.c

\u2022    dlstatus

\u2022    download_status_is_ready_by_sk_in_cl

\u2022    certs_out

\u2022    authority_cert_get_all

\u2022    fp-sk\/

A static search of the memory strings found there is already information on github (https:\/\/github.com\/kaist-ina\/SGX-Tor\/blob\/master\/Enclave\/TorSGX\/routerlist.c) which maintains a global list of router information for known servers. 

\u2022    $F397038ADC51336135E7B80BD99CA3844360292B~F397038ADC51336135E at 76.73.17.194

\u2022    C:\\Documents and Settings\\Application Data\\tor

\u2022    C:\\Documents and Settings\\Application Data\\tor\\torrc

\u2022    C:\\Documents and Settings\\Application Data\\tor\\torrc-defaults

\u2022    WARN BOOTSTRAP PROGRESS=5 TAG=conn_dir SUMMARY=”Connecting to directory server” WARNING=”No route to host [WSAEHOSTUNREACH ]” REASON=NOROUTE COUNT=3 RECOMMENDATION=warn

\u2022    Windows XP

\u2022    F397038ADC51336135E7B80BD99CA3844360292B

The above global router information shows the application path and connection information for the available directory server. These can be exploited in the ransomware payload to make successful TOR connections.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 10 after infection of Locky ransomware<\/em>

After successful infection, the victim\u2019s desktop wallpaper is changed to a Locky ransomware message. It asks the victim to open one of a dozen readme files. These can be found on the desktop and in the C: folder:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 11 Readme files and crypted file<\/em>

Below is the ransom note victims see:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Threat Indicators \u2013 IOC details:

Fake Dropbox URL:<\/strong>

hxxp:\/\/busad(.)com\/dropbox.html

hxxp:\/\/autoecoledufrene(.)com\/dropbox.html

hxxp:\/\/autoecoleboisdesroches(.)com\/dropbox.html

hxxp:\/\/tasgetiren(.)com\/dropbox.html

hxxp:\/\/potamitis(.)gr\/dropbox.html

hxxp:\/\/jaysonmorrison(.)com\/dropbox.html

hxxp:\/\/arthurdenniswilliams(.)com\/dropbox.html

hxxp:\/\/gruporoados(.)com\/dropbox.html

hxxp:\/\/patrickreeves(.)com\/dropbox.html

hxxp:\/\/eifel-netz(.)de\/dropbox.html

hxxp:\/\/albion-cx22(.)co.uk\/dropbox.html

hxxp:\/\/jakuboweb(.)com\/dropbox.html

hxxp:\/\/flooringforyou(.)co.uk\/dropbox.html

hxxp:\/\/binarycousins(.)com\/dropbox.html

hxxp:\/\/dar-alataa(.)com\/dropbox.html

hxxp:\/\/gestionale-orbit(.)it\/dropbox.html

hxxp:\/\/aegelle(.)com\/dropbox.html

hxxp:\/\/griffithphoto(.)com\/dropbox.html

hxxp:\/\/fachwerkhaus(.)ws\/dropbox.html

hxxp:\/\/melting-potes(.)com\/dropbox.html

hxxp:\/\/willemshoeck.nl\/dropbox.html

hxxp:\/\/benjamindiggles(.)com\/dropbox.html

hxxp:\/\/avtokhim(.)ru\/dropbox.html

hxxp:\/\/autoecoleathena(.)com\/dropbox.html

hxxp:\/\/bayimpex(.)be\/dropbox.html

IP addresses:<\/strong>

176(.)56(.)58(.)114

185(.)18(.)197(.)109

173(.)192(.)66(.)137

203(.)183(.)65(.)225

194(.)173(.)175(.)16

62(.)4(.)8(.)233

67(.)19(.)68(.)83

47(.)89(.)249(.)74 

199(.)30(.)241(.)139

202(.)237(.)149(.)19

66(.)84(.)8(.)235

83(.)169(.)22(.)79

91(.)121(.)111(.)185                    

91(.)209(.)7(.)116

91(.)234(.)195(.)48

Locky download and related URL:<\/strong>

gbass(.)ch\/tJHGskdioj                                                

garage-fiat(.)be\/tJHGskdioj                                                

futurehemp(.)com\/tJHGskdioj                                                

furukawa-iin(.)net\/tJHGskdioj                                               

freevillemusic(.)com\/tJHGskdioj

vinneydropmodorfosius(.)net\/af\/tJHGskdioj                                               

hightechavenue(.)com\/tJHGskdioj                          

greatesthits.mygoldmusic(.)com\/tJHGskdioj                                                

graficasicarpearanjuez(.)com\/tJHGskdioj                                                

goldenspikerails(.)net\/tJHGskdioj                                                

hecam(.)de\/tJHGskdioj                                                

hdvmedia(.)nl\/tJHGskdioj                                                

go-coo(.)jp\/tJHGskdioj                                                

gewinnspiel-sachsenhausen(.)de\/tJHGskdioj                                               

gestione.easyreplica(.)com\/tJHGskdioj                                               

Pattern of php files in malicious URL:<\/strong>

Regex for the php file: \\\/w\\\/[0-9a-z]{4}\\.php

konferencjaora[.]pl\/w\/523f.php

autonikos[.]pl\/w\/6dty.php

oxfordschoolkotputli[.]com\/w\/vait.php

j3[.]rodolfogn[.]com\/w\/qn0b.php

martinagebhardt[.]hu\/w\/uol4.php

Ransom note:<\/strong>

To decrypt the files you should send the following code: 647698A1C322BA348201|801|6|2

Email: <\/strong>Novikov(.)Vavila(at)gmail(.)com

Tor addresses in the ransom note:<\/strong>

hxxp:\/\/cryptsen7fo43rr6(.)onion\/

hxxp:\/\/cryptsen7fo43rr6(.)onion.to\/

hxxp:\/\/cryptsen7fo43rr6(.)onion(.)cab\/

Extension: <\/strong>647698A1C322BA348201.crypted000007

Conclusion:<\/strong> As long as Locky continues to successfully encrypt victim machines, it will continue resurfacing. We recommend users apply the IOC details as alerts, in order to block the infection methods (in this case, the malicious zip file and fake Dropbox links used to distribute Locky). 

As always, exercise caution when receiving emails with attachments from unknown users. Finally, updated anti-malware with anti-ransomware modules can help protect against ransomware attacks.

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Version:1.0 StartHTML:000000289 EndHTML:000019321 StartFragment:000007098 EndFragment:000019253 StartSelection:000007098 EndSelection:000019249 SourceURL:https:\/\/www.lmntrix.com\/Lab\/Lab_info.php?id=71&url=Locky%20emerges%20out%20of%20hibernation,%20hits%2020%20million%20mailboxes LMNTRIX Labs LMNTRIX Labs After disappearing for months, Locky ransomware is back… and in force. The strain first made headlines in February 2016 when a US medical centre paid a US$17,000 bitcoin ransom to retrieve patient data – operators said paying the ransom was the quickest way […]<\/p>\n","protected":false},"author":1,"featured_media":2464,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2446","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2446","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2446"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2446\/revisions"}],"predecessor-version":[{"id":4258,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2446\/revisions\/4258"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2464"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2446"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2446"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2446"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}