{
	"id": "1739372f-93e9-4ad6-825d-bfc2fbd760eb",
	"created_at": "2026-04-06T00:13:06.376731Z",
	"updated_at": "2026-04-10T03:21:19.65928Z",
	"deleted_at": null,
	"sha1_hash": "62659e3944c98ba3b9ccb99a3db386b76245bed7",
	"title": "Without Necurs, Locky Struggles",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 618291,
	"plain_text": "Without Necurs, Locky Struggles\r\nBy Nick Biasini\r\nPublished: 2017-01-18 · Archived: 2026-04-05 23:06:04 UTC\r\nWednesday, January 18, 2017 18:46\r\nThis post authored by Nick Biasini with contributions from Jaeson Schultz\r\nLocky has been a devastating force for the last year in the spam and ransomware landscape. The Locky variant of\r\nransomware has been responsible for huge amounts of spam messages being sent on a daily basis. The main driver\r\nbehind this traffic is the Necurs botnet. This botnet is responsible for the majority of Locky and Dridex activity.\r\nPeriodically Necurs goes offline and during these periods we typically see Locky activity decrease drastically. One\r\nof these periods is currently ongoing.\r\nThe number of active IP addresses on the SpamCop BL illustrates the current lack of Necurs activity\r\nSince late December we haven't seen the typical volume of Locky. However, a couple of days ago we finally\r\nstarted seeing some spam campaigns start delivering Locky again. The key difference here is around volume. We\r\ntypically would see hundreds of thousands of Locky spam, we are currently seeing campaigns with less than a\r\nthousand messages. Talos found a couple of low volume campaigns that are delivering Locky via the typical\r\nmeans of scripting files with a couple of new twists.\r\nCampaign 1 - Double Zipped Locky\r\nhttps://blog.talosintelligence.com/2017/01/locky-struggles.html\r\nPage 1 of 6\n\nSample Email from Locky Campaign\r\nThis was the first campaign we observed several days ago. As you can see there isn't much to the email messages,\r\nno subject or body, just a blank email with an attachment. When the attachment is extracted there is a second zip\r\nfile inside, 71344395.doc.zip, and this zip file uses double extensions in hopes that a user would think it is a doc\r\nfile. Inside of this zip file is another double extension file 71344395.doc.jse. This is the malicious javascript which\r\npulls the payload leading to Locky. In this particular campaign there are multiple payloads.\r\nContents of JSE File\r\nThis is the JSE file that executes on the end system. It isn't too heavily obfuscated with several easily identifiable\r\nURLs. The top one highlighted is the actual request that was seen in the network traffic. That GET request was\r\nfollowed by two GET requests for payloads that look almost identical.\r\nhttps://blog.talosintelligence.com/2017/01/locky-struggles.html\r\nPage 2 of 6\n\nGET Requests for Malicious Files\r\nThe GET requests are identical except for the highlighted portion in the images above. This resulted in two\r\npayloads being delivered to the system, Kovter Trojan and Locky ransomware. Kovter is primarily used in click-fraud campaigns and would continue to operate on the system after the user pays to have their files decrypted.\r\nThis is another good reason that paying the ransom isn't a good idea. In this particular case if the user chose to pay\r\nthe ransom and get their files back there is a second malware installation left running on the system.\r\nCampaign 2 - Rar based Locky\r\nSample Email from Locky Campaign\r\nThis is the second campaign Talos started seeing the following day. This campaign has a little more content with a\r\nsubject line and body. It poses as a failed transaction, which is common in spam campaigns. This particular\r\ncampaign made use of rar files instead of the more common zip archives. If the user extracts the archive they find\r\na js file, doc_details.js.\r\nMalicious Javascript File\r\nThis looks more like the obfuscated javascript we are used to seeing with Locky infections. There are a couple of\r\nother interesting details associated with this campaign.\r\nhttps://blog.talosintelligence.com/2017/01/locky-struggles.html\r\nPage 3 of 6\n\nDridex Look-alike GET Request\r\nFirst is the actual GET request for the Locky instance. As you can see above this URL structure is not typically\r\nwhat you would see with the retrieval of a Locky payload, but instead looks very similar to a request for a Dridex\r\nsample. The second unique aspect is associated with the User Agent (UA) being used. Below is a capture from the\r\nnetwork communication showing python UA being used instead of a more traditional UA.\r\nExample of new User Agent\r\nWith both of these campaigns being relatively low volume these could be one offs or indicators of changes to\r\ncome to the campaigns in the future.\r\nRegardless of the campaign the results are the same, with the OSIRIS variant of Locky being delivered on to end\r\nsystems. These are some of the first spam campaigns we have seen delivering Locky since before the Christmas\r\nbreak and could be indicators of things to come. Locky appears to still be distributed through other means, such as\r\nexploit kits, but the spam volume is drastically lower than it was a few short weeks ago.\r\nIOCs\r\nCampaign 1 Subject: \u003cNone\u003e\r\nBody: \u003cNone\u003e\r\nHashes:\r\n20667ee47576765550f9961b87728128c8d9cf88861096c9715c6fce994e347e (JSE File)\r\n3c476dfbe53259830c458cf8b323cc9aeeb3d63d5f88cc2976716beaf24bd07c (Zip File)\r\n2d51e764bf37e2e8c845d980a4d324e8a1406d04a791a57e6082682ce04517db (Zip File)\r\n79ffaa5453500f75abe4ad196100a53dfb5ec5297fc714dd10feb26c4fb086db (Locky)\r\nhttps://blog.talosintelligence.com/2017/01/locky-struggles.html\r\nPage 4 of 6\n\nDomains:\r\nbolayde[.]com\r\ntangopostale[.]com\r\nCampaign 2 Subject: Blocked Transaction. Case No \u003cRandom Number\u003e\r\nHashes:\r\n0822a63725345e6b8921877367e43ee23696d75f712a9c54d5442dbc0d5f2056 (JS File)\r\n55d092af73e5631982da6c165dfa704854b92f74eef0846e4b1aad57d0215251 (Rar File)\r\nec9c06a7cf810b07c342033588d2e7f5741e7acbea5f0c8e7009f6cc7087e1f7 (Locky)\r\nDomains:\r\nunwelcomeaz[.]top\r\nConclusion In 2016 the spam landscape was dominated by Locky campaigns sending millions of\r\nmalicious emails. There were periods where Necurs went offline and the volume went down. We\r\nare currently in one of the extended breaks, approaching a month with lower spam volume.\r\nDespite that, Locky is still being distributed on a much smaller scale.\r\nThe question is when will Necurs return to full strength, bringing back the staggering amount of spam delivering\r\nnot only Locky but also Dridex and other types of messages. As an example, when Necurs is active we typically\r\nsee approximately 350-400K IPs in our blocklists related to spamming. Those numbers have been closer to 50K as\r\nis shown in the image at the top of the post. Necurs is responsible for a lot of spam and if it doesn't return,\r\nsomething else will need to fill that void. Much the same way we have seen major exploit kits leave the landscape\r\nin 2016, it's possible we may see the same from spam.\r\nCrimeware is a lucrative endeavor with revenue rapidly approaching a billion dollars annually. This doesn't come\r\nwithout significant risk and we may be entering a period where adversaries are increasingly cashing out from this\r\nactivity early, to avoid the severe penalties associated with this illegal activity.\r\nCoverage Additional ways our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2017/01/locky-struggles.html\r\nPage 5 of 6\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nThe Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network\r\nactivity by threat actors.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella prevents DNS resolution of the domains associated with malicious activity.\r\nSource: https://blog.talosintelligence.com/2017/01/locky-struggles.html\r\nhttps://blog.talosintelligence.com/2017/01/locky-struggles.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.talosintelligence.com/2017/01/locky-struggles.html"
	],
	"report_names": [
		"locky-struggles.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434386,
	"ts_updated_at": 1775791279,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/62659e3944c98ba3b9ccb99a3db386b76245bed7.pdf",
		"text": "https://archive.orkl.eu/62659e3944c98ba3b9ccb99a3db386b76245bed7.txt",
		"img": "https://archive.orkl.eu/62659e3944c98ba3b9ccb99a3db386b76245bed7.jpg"
	}
}