{
	"id": "4c098786-23b5-4295-b696-c1cd255454cb",
	"created_at": "2026-04-06T00:08:35.74431Z",
	"updated_at": "2026-04-10T03:22:01.14883Z",
	"deleted_at": null,
	"sha1_hash": "443a27e335e802697745c2e55dab029c77d00085",
	"title": "Locky Ransomware switches to the Lukitus extension for Encrypted Files",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 813518,
	"plain_text": "Locky Ransomware switches to the Lukitus extension for Encrypted\r\nFiles\r\nBy Lawrence Abrams\r\nPublished: 2017-08-16 · Archived: 2026-04-05 15:03:52 UTC\r\nToday a new Locky Ransomware variant was discovered by Rommel Joven that switches to the .lukitus extension for\r\nencrypted files. It is important to note that if you are infected with this ransomware, you are not infected with the Lukitus\r\nRansomware, as some sites may call it. You are instead infected by Locky, which is using the .lukitus extension.  There is a\r\ndifference.\r\nAccording to Derek Knight, this variant is currently being distributed via spam emails that have subject lines of \u003c No\r\nSubject \u003e or Emailing - CSI-034183_MB_S_7727518b6bab2, which contain zip or rar attachments with JS files. When\r\nthese JS files are executed, they will download the Locky executable from a remote site.\r\nSpam Email\r\nOnce the file is downloaded and executed, it will scan the computer for files and encrypt them. When this Locky variant\r\nencrypts a file it will modify the file name and then append the .lukitus. When renaming the file, it uses the format\r\n[first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-\r\n[4_hexadecimal_chars]-[12_hexadecimal_chars].lukitus. \r\nThis means that a file named 1.png would be encrypted and named something like as E87091F1-D24A-922B-00F6B112-\r\n72BB7EA6EADF.lukitus.\r\nhttps://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nFiles encrypted with the Lukitus Locky Ransomware Variant\r\nWhen Locky has finished encrypting the computer, it will remove the downloaded executable and then display a ransom\r\nnote that provides information on how to pay the ransom. The names of these ransom notes have changed for this version\r\nto lukitus.htm and lukitus.bmp. \r\nLocky Lukitus Ransom Note\r\nAt the time of this writing, the Locky Decryptor TOR payment site has the ransom set to .49 BTC or approximately $2,000\r\nUSD.\r\nhttps://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/\r\nPage 3 of 5\n\nLocky Decryptor Payment Site\r\nIt is not possible to decrypt the Locky Ransomware Lukitus Variant\r\nUnfortunately, at this time it is still not possible to decrypt .lukitus files encrypted by the Locky Ransomware for free.\r\nThe only way to recover encrypted files is via a backup, or if you are incredibly lucky, through Shadow Volume Copies.\r\nThough Locky does attempt to remove Shadow Volume Copies, in rare cases ransomware infections fail to do so for\r\nwhatever reason. Due to this, if you do not have a viable backup, I always suggest people try as a last resort to restore\r\nencrypted files from Shadow Volume Copies as well.\r\nFor those who wish to discuss the Locky ransomware or need support, you can use our dedicated Locky Ransomware Help\r\n\u0026 Support Topic.\r\nHow to protect yourself from the Locky Ransomware\r\nIn order to protect yourself from Locky, or from any ransomware, it is important that you use good computing habits and\r\nsecurity software. First and foremost, you should always have a reliable and tested backup of your data that can be restored\r\nin the case of an emergency, such as a ransomware attack.\r\nYou should also have security software that contains behavioral detections such as Emsisoft Anti-Malware or Malwarebytes.\r\nI also recommend trying a dedicated ransomware protection program like RansomFree.\r\nLast, but not least, make sure you practice the following good online security habits, which in many cases are the most\r\nimportant steps of all:\r\nBackup, Backup, Backup!\r\nDo not open attachments if you do not know who sent them.\r\nDo not open attachments until you confirm that the person actually sent you them,\r\nScan attachments with tools like VirusTotal.\r\nMake sure all Windows updates are installed as soon as they come out! Also make sure you update all programs,\r\nespecially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly\r\nexploited by malware distributors. Therefore it is important to keep them updated.\r\nhttps://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/\r\nPage 4 of 5\n\nMake sure you use have some sort of security software installed.\r\nUse hard passwords and never reuse the same password at multiple sites.\r\nFor a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against\r\nRansomware article.\r\nUpdate 8/16/17 7:21 PM - Updated with information about spam distribution.\r\n \r\nIOCs\r\nHash:\r\nSHA256: 29fc7875aac4e84fc6b5f76c9bb51eba9bb19eb4398cba5505050809b0f88035\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/\r\nhttps://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/"
	],
	"report_names": [
		"locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files"
	],
	"threat_actors": [],
	"ts_created_at": 1775434115,
	"ts_updated_at": 1775791321,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/443a27e335e802697745c2e55dab029c77d00085.pdf",
		"text": "https://archive.orkl.eu/443a27e335e802697745c2e55dab029c77d00085.txt",
		"img": "https://archive.orkl.eu/443a27e335e802697745c2e55dab029c77d00085.jpg"
	}
}