{
	"id": "9f9cb26a-fad4-4cdf-be1d-c64e1d0056f1",
	"created_at": "2026-04-06T00:10:38.973749Z",
	"updated_at": "2026-04-10T13:11:39.565919Z",
	"deleted_at": null,
	"sha1_hash": "097f6d7324b68f7f0e098867c256796c7b3454ca",
	"title": "Player 1 Limps Back Into the Ring - Hello again, Locky!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 275858,
	"plain_text": "Player 1 Limps Back Into the Ring - Hello again, Locky!\r\nBy Alexander Chiu\r\nPublished: 2017-06-21 · Archived: 2026-04-05 13:46:12 UTC\r\nWednesday, June 21, 2017 17:00\r\nThis post was authored by Alex Chiu, Warren Mercer, and Jaeson Schultz.  Sean Baird and Matthew\r\nMolyettcontributed to this post.\r\nBack in May, the Necurs spam botnet jettisoned Locky ransomware in favor of the new Jaff ransomware variant.\r\nHowever, earlier this month Kaspersky discovered a vulnerability within Jaff which allowed them to create a\r\ndecryptor. This turn of events seems to have caused the miscreants behind Necurs to scramble to distribute a\r\ndifferent ransomware payload. Falling back on their old tricks, they have selected to re-distribute Locky\r\nransomware. The malware is being transmitted via email using an .exe file encapsulated within two compressed\r\n.zip archives.\r\nThe Spam Campaign The spam that is distributing this ransomware campaign is\r\nnot significantly different from other ransomware spam campaigns that we have\r\nseen from Necurs. Ransomware-oriented spam campaigns from Necurs typically\r\ninvolve order confirmations, payment receipts, business documents, and so on -- all\r\nwith the common goal of social engineering victims into opening the attachment.\r\nThe messages Talos observed in this particular campaign are disguised as fake\r\ninvoices.\r\nhttp://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html\r\nPage 1 of 5\n\nAn example spam message propagating Locky ransomware\r\nThe volume of Locky spam Necurs has sent since the start of this particular campaign is notable. In the first hour\r\nof this campaign, Talos observed that Locky spam accounted for up to 7.2% of email volume on one of our\r\nsystems. While the campaign has since decreased in the number of messages being sent per minute, Necurs is still\r\nactively sending messages containing Locky, though only in small quantities.\r\nChart illustrating the volume of Locky spam as a percent of total email volume one of our systems observed.\r\nhttp://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html\r\nPage 2 of 5\n\nLocky's unpacker crashes when trying to execute stack memory on systems more recent than Windows XP.\r\nAnother notable aspect of this latest campaign was the C2 URL structure. Adversaries behind this latest Locky\r\ncampaign have reused the /checkupdate path as part of the URL structure -- the same URL structure found in\r\nprevious Locky campaigns. This is perhaps another indication that adversaries were hasty in their developing and\r\ndistributing this campaign.\r\nThreat Grid sandbox run illustrating Locky C2 communication\r\nConclusion\r\nThis updated version of Locky appears to have been hastily deployed, and as a\r\nresult it has not affected users running Windows operating systems other than\r\nhttp://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html\r\nPage 3 of 5\n\nWindows XP. The attackers behind this ransomware are likely already aware of\r\nthis, so we can expect a fixed version of Locky to appear in a future round of\r\nNecurs' ransomware spam.\r\nDespite sounding like a broken record, we at Talos feel it's our duty to re-iterate that it's always risky clicking on\r\nlinks or opening attachments in strange email messages. Users that fail to heed this advice can easily become\r\nransomware victims, and if the subsequent ransom is paid, the monies will no doubt fund another round of attacks.\r\nAs always, organizations are encouraged to make regular backups of their data, practice restoring said data, and\r\nstore your backups offline far out of the reach of potential criminals.\r\nCoverage Open Source Snort Subscriber Rule Set customers can stay up to date by\r\ndownloading the latest rule pack available for purchase on Snort.org.\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS, WSA, and Umbrella can help identify hosts that have been compromised by Locky by detecting outbound\r\nC2 traffic.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as NGFW, NGIPS, and Meraki MX with Advanced Security can detect\r\nmalicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nStealthwatch detects network scanning activity, network propagation, and connections to CnC infrastructures,\r\ncorrelating this activity to alert administrators.\r\nhttp://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html\r\nPage 4 of 5\n\nIOCs\r\nSHA256\r\n49184047c840287909cf0e6a5e00273c6d60da1750655ad66e219426b3cf9cd8\r\n3285c3f37aa192a173f62fee82f7a966a6df6e5db4642d63a6784f39a63012b6 File Extension for Files\r\nEncrypted by Locky\r\n.loptr\r\n Hard-coded Locky C2 URL\r\nhxxp://185.115.140[.]170/checkupdate\r\nLocky DGA C2s (20th/21st June - DGA seed 65123)\r\nhxxp://emtsgdqsik[.]pl/checkupdate\r\nhxxp://tqathwvfaqfisj[.]pl/checkupdate\r\nhxxp://dqutujymgc[.]info/checkupdate\r\nhxxp://ddgtdcgoysuq[.]ru/checkupdate\r\nhxxp://lrsjplrlaceugxw[.]work/checkupdate\r\nhxxp://cstfxgujaf[.]biz/checkupdate\r\nhxxp://gcbdwbtshl[.]xyz/checkupdate\r\nhxxp://wxcjqfevrkosp[.]biz/checkupdate\r\nhxxp://hllfhiqwneuwwx[.]biz/checkupdate\r\nhxxp://agnfmqvhomsa[.]work/checkupdate\r\nhxxp://ythjvjhtgsfgesd[.]biz/checkupdate\r\nhxxp://kabssqyef[.]info/checkupdate\r\nSource: http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html\r\nhttp://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html"
	],
	"report_names": [
		"necurs-locky-campaign.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434238,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/097f6d7324b68f7f0e098867c256796c7b3454ca.pdf",
		"text": "https://archive.orkl.eu/097f6d7324b68f7f0e098867c256796c7b3454ca.txt",
		"img": "https://archive.orkl.eu/097f6d7324b68f7f0e098867c256796c7b3454ca.jpg"
	}
}