{ "id": "fdb31048-4aaf-459c-8d65-19c987509277", "created_at": "2026-04-06T00:19:58.973456Z", "updated_at": "2026-04-10T03:23:51.922663Z", "deleted_at": null, "sha1_hash": "25ced4e398091be181086b71954302c0edffba80", "title": "Locky: the encryptor taking the world by storm", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 714668, "plain_text": "Locky: the encryptor taking the world by storm\r\nBy Fedor Sinitsyn\r\nPublished: 2016-04-06 · Archived: 2026-04-05 16:47:46 UTC\r\nIn February 2016, the Internet was shaken by an epidemic caused by the new ransomware Trojan Locky (detected\r\nby Kaspersky Lab products as Trojan-Ransom.Win32.Locky). The Trojan has been actively propagating up to the\r\npresent day. Kaspersky Lab products have reported attempts to infect users with the Trojan in 114 countries\r\naround the world.\r\nAnalysis of the samples has shown that this Trojan is a brand new ransomware threat, written from scratch. So,\r\nwhat is Locky, and how can we protect against it?\r\nPropagation\r\nIn order to spread the Trojan, cybercriminals sent out mass mailings with malicious loaders attached to spam\r\nmessages.\r\nInitially, the malicious spam messages contained an attached DOC file with a macro that downloaded the Locky\r\nTrojan from a remote server and executed it.\r\nAn early-stage spam message with a malicious document attached\r\nhttps://securelist.com/locky-the-encryptor-taking-the-world-by-storm/74398/\r\nPage 1 of 16\n\nA fragment of the malicious macro\r\nKaspersky Lab products detect files with malicious macros as Trojan-Downloader.MSWord.Agent and\r\nHEUR:Trojan-Downloader.Script.Generic.\r\nWe should note that in modern versions of Microsoft Office, automatic execution of macros is disabled for\r\nsecurity reasons. However, practice shows that users often enable macros manually, even in documents from\r\nunknown sources, which may lead to some damaging consequences.\r\nAt the time of writing, the malicious spam is still being sent, but instead of the DOC files being attached there are\r\nnow ZIP archives containing one or more obfuscated scripts in JavaScript. The messages are mostly in English,\r\nthough some bilingual variants have appeared.\r\nhttps://securelist.com/locky-the-encryptor-taking-the-world-by-storm/74398/\r\nPage 2 of 16\n\nSpam message in English with the archive attached\r\nhttps://securelist.com/locky-the-encryptor-taking-the-world-by-storm/74398/\r\nPage 3 of 16\n\nMessage in German and English with the archive attached\r\nThe user is prompted to manually launch the scripts.\r\nhttps://securelist.com/locky-the-encryptor-taking-the-world-by-storm/74398/\r\nPage 4 of 16\n\nContents of the archive attached to the message\r\nFragment of the archived script\r\nWhen launched, the script downloads the Locky Trojan from a remote server and launches it.\r\nKaspersky Lab products detect these script loaders as Trojan-Downloader.JS.Agent and HEUR:Trojan-Downloader.Script.Generic.\r\nGeography of attacks\r\nKaspersky Security Network has reported Locky attacks in 114 countries.\r\nTOP 10 countries\r\nCountry Number of users attacked\r\nFrance 469\r\nGermany 340\r\nIndia 267\r\nhttps://securelist.com/locky-the-encryptor-taking-the-world-by-storm/74398/\r\nPage 5 of 16\n\nUSA 224\r\nRepublic of South Africa 182\r\nItaly 171\r\nMexico 159\r\nBrazil 156\r\nChina 126\r\nVietnam 107\r\nWe should note that these statistics only include cases where the actual Trojan was detected, and does not include\r\nearly-stage detections reported as malicious spam or malicious downloaders.\r\nThe geography of Trojan-Ransom.Win32.Locky attacks (number of attacked users)\r\nAs we can see, the Trojan carries out attacks in practically all regions of the world. We can assume which\r\ncountries the cybercriminals see as their main targets based on the list of languages used on the ransom payment\r\nwebpage (see details below).\r\nHow it works\r\nThe Locky Trojan is an executable file, about 100 kb in size. It is written in C++ using STL, and is compiled in\r\nMicrosoft Visual Studio. When launching, it copies itself to %TEMP%\\svchost.exe and deletes the NTFS data\r\nstream Zone.Identifier from its copy – this is done to ensure that when the file is launched, Windows does not\r\nhttps://securelist.com/locky-the-encryptor-taking-the-world-by-storm/74398/\r\nPage 6 of 16\n\ndisplay a notification saying that the file has been downloaded from the Internet and may be potentially\r\ndangerous. The Trojan then launches from %TEMP%.\r\nOnce launched, the Trojan checks for the presence and the contents of the below registry keys.\r\nPath Type Value\r\nHKEY_CURRENT_USER\\Software\\Locky\\id REG_SZ Infection ID\r\nHKEY_CURRENT_USER\\Software\\Locky\\pubkey REG_BINARY\r\nPublic RSA key in MSBLOB\r\nformat\r\nHKEY_CURRENT_USER\\Software\\Locky\\paytext REG_BINARY Text shown to the victim\r\nHKEY_CURRENT_USER\\Software\\Locky\\completed REG_DWORD\r\nStatus (whether encryption is\r\ncompleted)\r\nIf data already exists in the registry keys (this is the case if the Trojan has launched before, but its previous session\r\naborted for some reason), Locky reads that data and continues with the infection process.\r\nIf launched for the first time, the Trojan performs the following actions:\r\n1. 1 Contacts C\u0026C and reports infection;\r\n2. 2 Receives a public RSA-2048 key and infection ID from C\u0026C, saves them in the registry;\r\n3. 3 Sends information about the language of the infected operating system, receives the cybercriminals’\r\nransom demand text that will be shown to the victim, saves the text in the registry;\r\n4. 4 Searches for files with specific extensions on local disk drives, encrypts them;\r\n5. 5 Deletes shadow copies of files;\r\n6. 6 Registers itself for autostart\r\n(HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run);\r\n7. 7 Searches for and encrypts files with specific extensions on network drives and on network file resources\r\nwith no assigned drive letter;\r\n8. 8 Displays the cybercriminals’ ransom demands to the victim;\r\n9. 9 Terminates its process and removes itself.\r\nhttps://securelist.com/locky-the-encryptor-taking-the-world-by-storm/74398/\r\nPage 7 of 16\n\nFragment of code that determines the language of the operating system\r\nFile encryption\r\nThe Trojan searches for files matching a given list of extensions. Then, these files are encrypted as described\r\nbelow.\r\nhttps://securelist.com/locky-the-encryptor-taking-the-world-by-storm/74398/\r\nPage 8 of 16\n\nList of file extensions that are subject to encryption\r\nFor each file that matches an extension on the list, the Trojan generates a new 128-bit key and encrypts the file’s\r\ncontents with the algorithm AES-128 in CTR mode. The encrypted file is given the name \u003c16 HEX characters as\r\nID\u003e\u003c16 random HEX characters\u003e.locky. Then the following structure is added to the end of the file:\r\nStructure appended by the Trojan to the end of an encrypted file\r\nIn C language syntax, this structure may be described as follows:\r\nstruct file_data\r\n{\r\nuint32_t start_marker;          //Structure start marker = 0x8956FE93\r\nchar id[16];                    //Infection ID\r\nuint8_t aes_key[256];           //AES key encrypted with RSA-2048\r\nuint32_t name_marker;           //Name start marker encrypted with AES (= 0xD41BA12A after decryption)\r\nuint8_t orig_name[520];         //Original file name encrypted with AES\r\nWIN32_FILE_ATTRIBUTE_DATA attr; //Original file attributes encrypted with AES\r\n};\r\nAppended structure described in C language syntax\r\nRansom demands\r\nAfter encrypting the user’s files, the Trojan displays the following message with the cybercriminals’ ransom\r\ndemands.\r\nhttps://securelist.com/locky-the-encryptor-taking-the-world-by-storm/74398/\r\nPage 9 of 16\n\nRansom demand in English\r\nRansom demand in German\r\nThe ransom message contains the address of the cybercriminals’ ‘secret server’ where they placed information\r\nabout the ransom they demand for the decryption program. All four links in the message lead to the same website\r\nin the Tor network.\r\nDuring the early spamming campaigns, the ransom payment page looked like this:\r\nhttps://securelist.com/locky-the-encryptor-taking-the-world-by-storm/74398/\r\nPage 10 of 16\n\nEarly version of Locky’s ransom demand page\r\nOn this page, the cybercriminals suggested that the victims pay in bitcoins to decrypt the affected files on their\r\ncomputer. They also gave recommendations about where and how to get the cryptocurrency.\r\nhttps://securelist.com/locky-the-encryptor-taking-the-world-by-storm/74398/\r\nPage 11 of 16\n\nThe contents and the design of the page changed with time. Today, the page is available in more than 20 languages\r\n(that can be selected from a dropdown list), and looks like this:\r\nLatest version of Locky’s ransom payment page\r\nIf we look at the page’s source code, we will see a complete list of supported languages. The cybercriminals\r\nobviously see the corresponding countries as the main targets for this ransomware Trojan. Interestingly, Russian\r\nand other CIS languages are not on the list. For some reason the cybercriminals are not that keen on targeting\r\nusers in countries where those languages are spoken – something that KSN statistics confirm.\r\nhttps://securelist.com/locky-the-encryptor-taking-the-world-by-storm/74398/\r\nPage 12 of 16\n\nList of languages supported on Locky ransom payment page\r\nCommunication with C\u0026C\r\nThe Trojan’s code contains between one and three C\u0026C IP addresses. On top of that, the code contains an\r\nalgorithm generating new C\u0026C addresses (DGA, domain generation algorithm) depending on the current day,\r\nmonth and year. With this algorithm, six C\u0026C addresses are generated each day. The pseudo-code to illustrate the\r\nDGA Locky algorithm is highlighted in the screenshot below.\r\nhttps://securelist.com/locky-the-encryptor-taking-the-world-by-storm/74398/\r\nPage 13 of 16\n\nPseudo-code of Locky C\u0026C domain generation algorithm\r\nCommunication with a C\u0026C is performed using the HTTP protocol. The Trojan sends a POST request to an\r\naddress with the format http://\u003ccnc_url\u003e/main.php; the transmitted data is encrypted with a simple symmetric\r\nalgorithm.\r\nLet’s have a look at the possible types of transmitted parameters.\r\n1. 1\r\nNotification about infection and request for key.\r\nid=\u003cinfection id\u003e\r\n\u0026act=getkey\u0026affid=\u003cpartner id contained in the Trojan’s body\u003e\r\n\u0026lang=\u003clanguage of the operating system\u003e\r\n\u0026corp=\u003cwhether the OS is a corporate OS\u003e\r\n\u0026serv=\u003cwhether the OS is a server OS\u003e\r\n\u0026os=\u003cOS version\u003e\r\nhttps://securelist.com/locky-the-encryptor-taking-the-world-by-storm/74398/\r\nPage 14 of 16\n\n\u0026sp=\u003cversion of OS service pack\u003e\r\n\u0026x64=\u003cwhether the OS is 32- or 64-bit\u003e\r\nJudging by the affid parameter, Locky is distributed via an affiliate, or partnership, program.\r\n2. 2\r\nSending list of encrypted paths.\r\nid=\u003cinfection id\u003e\r\n\u0026act=report\u0026data=\u003clist of paths\u003e\r\nFor each disk drive it has handled, the Trojan sends the C\u0026C a list of all paths to all encrypted files.\r\n3. 3\r\nSending statistics for each handled disk drive.\r\nid=\u003cinfection id\u003e\r\n\u0026act=stats\u0026path=\u003cpath\u003e\r\n\u0026encrypted=\u003cnumber of files encrypted\u003e\r\n\u0026failed=\u003cnumber of errors\u003e\r\n\u0026length=\u003ctotal size of encrypted files\u003e\r\nIt should be noted that the cybercriminal collects very detailed statistics for each infection. Other ransomware\r\nfamilies that we analyzed earlier were not this thorough at collecting statistics.\r\nCountermeasures\r\nKaspersky Lab products protect against the Locky ransomware Trojan at all stages of the attack:\r\nThe anti-spam module detects emails sent by the Trojan’s distributors;\r\nScript loaders are detected by static and heuristic signatures of email and file antivirus with the verdicts\r\nTrojan-Downloader.MSWord.Agent, Trojan-Downloader.JS.Agent, HEUR:Trojan-Downloader.Script.Generic;\r\nThe Trojan’s executable file is detected by file antivirus signatures as Trojan-Ransom.Win32.Locky;\r\nUnknown samples of Locky are proactively detected by the System Watcher module with the verdict\r\nPDM:Trojan.Win32.Generic.\r\nPreventing infections\r\nLocky is a typical ransomware Trojan, and it exhibits no major differences from other ransomware families in its\r\ninternal arrangement or its principles of operation. However, it caught the attention of researchers because it was\r\nso active and so widespread. According to KSN data, Kaspersky Lab products have blocked Locky attacks in over\r\n100 countries around the world – no other ransomware Trojan to date has attacked so many countries at once.\r\nTo protect yourself from this ransomware Trojan, follow these preventive measures:\r\nDo not open attachments in emails from senders you don’t know;\r\nhttps://securelist.com/locky-the-encryptor-taking-the-world-by-storm/74398/\r\nPage 15 of 16\n\nBack up your files on a regular basis and store the backup copies on removable storage media or in cloud\r\nstorages – not on your computer;\r\nRegularly run updates for your antivirus databases, operating system and other software installed on your\r\ncomputer;\r\nCreate a separate network folder for each user when managing access to shared network folders.\r\nFor more detailed information about protection from ransomware Trojans, please follow this link.\r\nSource: https://securelist.com/locky-the-encryptor-taking-the-world-by-storm/74398/\r\nhttps://securelist.com/locky-the-encryptor-taking-the-world-by-storm/74398/\r\nPage 16 of 16\n\n https://securelist.com/locky-the-encryptor-taking-the-world-by-storm/74398/ \nMessage in German and English with the archive attached\nThe user is prompted to manually launch the scripts. \n Page 4 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securelist.com/locky-the-encryptor-taking-the-world-by-storm/74398/" ], "report_names": [ "74398" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434798, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/25ced4e398091be181086b71954302c0edffba80.pdf", "text": "https://archive.orkl.eu/25ced4e398091be181086b71954302c0edffba80.txt", "img": "https://archive.orkl.eu/25ced4e398091be181086b71954302c0edffba80.jpg" } }