{
	"id": "d4d606e8-63d6-4eed-b489-a4db3289420f",
	"created_at": "2026-04-06T03:37:13.432338Z",
	"updated_at": "2026-04-10T03:21:07.538034Z",
	"deleted_at": null,
	"sha1_hash": "9cb320eb770b3e44efa9d594471be247a89ea2e2",
	"title": "Locky Ransomware: Dridex Actors Get In The Game | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 253810,
	"plain_text": "Locky Ransomware: Dridex Actors Get In The Game | Proofpoint US\r\nBy April 06, 2016 Chris Wakelin\r\nPublished: 2016-04-06 · Archived: 2026-04-06 03:20:18 UTC\r\nEarlier this year, Proofpoint researchers discovered Locky ransomware. Most notably, the same actors behind many of the\r\nlargest Dridex campaigns were involved in distributing Locky and were doing it at a scale we'd previously only associated\r\nwith the Dridex banking Trojan. In recent weeks, we detected a marked increase in email campaigns attempting to install\r\nLocky, culminating on April 7th with the largest single campaign (tens of millions of messages) we have ever observed. This\r\nparticular campaign, primarily targeting UK and French organizations, used malicious document attachments and a new\r\nmalware variant we are calling RockLoader as an intermediary installing not only Locky but potentially two other pieces of\r\nmalware as well. In addition to the use of Rockloader, threat actors distributing Locky have been using an array of\r\nobfuscation techniques and evolving their approaches to evade detection.\r\nOutside of the very large campaign detected on April 7th, the ransomware in many of these campaigns is being installed via\r\nJavaScript attachment files rather than documents. Typically there are no legitimate uses for such attachments, and we\r\nrecommend as a best practice blocking the delivery of JavaScript attachments at the email gateway. We have also observed\r\nthe actors behind these campaigns varying their delivery strategies to evade security defenses. For example, we are seeing:\r\nIncreasingly convoluted JavaScript obfuscation\r\nAdditional junk files to help evade detections\r\nMangled “Content-Type” headers to help evade detection\r\nThe use of RAR instead of Zip compression of JavaScript\r\nAs noted above, Proofpoint has also observed the actors using a new malware, which we are calling RockLoader. This actor\r\nis frequently using it as an intermediate “downloader”. This downloader has been distributed both through JavaScript\r\nattachments and malicious documents and, in turn, downloads Locky. This downloader is under active development, and we\r\nare observing new features being added frequently. Additionally, on April 6th and 7th, 2016, we spotted this downloader\r\nbeing used to load other malware including Dridex 220, Pony, and Kegotip.\r\nExample Of A Locky Ransomware Email\r\nOn March 31, 2016, Proofpoint detected a large Locky campaign with RAR or Zip attachments containing JavaScript code,\r\nwhich, if opened, would download and install Locky with an Affiliate ID of \"3\" (Proofpoint is currently tracking Locky\r\naffiliate IDs 1, 3, 4, 5, 11, 13, 14, and 15). This was one of the first instances of Locky malware operators compressing\r\nJavaScript with RAR, previously they used only Zip compression. The messages in this campaign had the subjects:\r\n\"print please\", \"hello print\", or \"hi prnt\" with the attachment \"New Text Document (3).rar\"\r\n\"Photos\" with the attachment \"Photos.zip\"\r\nhttps://www.proofpoint.com/us/threat-insight/post/dridex-actors-get-in-ransomware-with-locky\r\nPage 1 of 8\n\nFigure 1: Email delivering the zipped JavaScript\r\nJavaScript obfuscation\r\nJavaScript attachments have been popular with attackers for a while [1] now. The attachments are typically heavily\r\nobfuscated; they download and run additional malicious payloads. When the user double clicks and opens such an\r\nattachment, Windows operating systems helpfully runs it much like an executable. The specific JavaScript that downloads\r\nLocky uses obfuscation techniques including character substitution, string concatenation, dead code, integer to character\r\nconversion, and other tricks.\r\nFigure 2: Example of obfuscated JavaScript Code\r\nAdditional Junk Files\r\nhttps://www.proofpoint.com/us/threat-insight/post/dridex-actors-get-in-ransomware-with-locky\r\nPage 2 of 8\n\nAnother technique used by this actor is to sometimes include several malicious JavaScript files together with “junk” files.\r\nWe have not determined if this technique is aimed at confusing a certain security product or is simply an attempt to confuse\r\nsimple detections based on file sizes and hashes. In the screenshot below the the “v1V” file contains only bytes 0x00 and\r\n0x01. Additionally, this is a hidden file not visible to the user unless their Folder Options are set to “Show hidden files,\r\nfolders, and drives”.\r\nFigure 3: Attachment payment_[someone]_720202.zip contains malicious .js files and a junk v1V file\r\nFigure 4: The “v1V” file contains only bytes 0x00 and 0x01\r\nMangled “Content-Type” Headers\r\nOf particular concern, starting on March 23rd, one of the Locky campaigns that used attachments with names such as\r\n“ImageNNNNNN.zip” (where NNNNNN are random digits) began sending out email with a variety of different Content-Type headers, many of them highly unusual. This is an interesting technique since it aims to confuse email filtering\r\nproducts, attempting to make them not inspect such email if it is deemed junk. If such an email ends up in user’s inbox, it is\r\nthen up to the email reader to decide whether to open it. In our testing with Mail.app and MS Office Outlook 2010, both\r\nemail clients were able to display the message to the user and open such emails.\r\nContent-Type: application/octet-stream\r\nContent-Type: application/x-compress\r\nContent-Type: application/x-compressed\r\nContent-Type: application/x-zip\r\nhttps://www.proofpoint.com/us/threat-insight/post/dridex-actors-get-in-ransomware-with-locky\r\nPage 3 of 8\n\nContent-Type: application/x-zip-compressed\r\nContent-Type: application/zip\r\nUse of Improper File Extensions or Double File Extensions\r\nOn March 29th, the actor attempted to send Zip attachments with improper file extensions “docx”, “gif”, ”jpg”, “pdf”, “rar”,\r\nand “tiff”.\r\nOn the 30th of March, one of the groups sending out Locky emails sent “.zip” files that were actually RAR archives (later\r\nswitched to “.rar”) and sent RAR archives again on April 1st. The other group switched to RAR for one of their campaigns\r\non March 31st, but has since reverted to Zip. Presumably, the requirement for additional software such as WinRAR or\r\nWinZip to be installed reduces the number of potential victims.\r\nOn March 30th, an actor also attempted to use attachments with double file extensions, including JPEG.zip, doc.zip, pdf.zip,\r\nand others. This is an old trick designed to confuse the user as Windows is usually configured to hide extensions for known\r\nfile types, making these files appear as “Doc123.pdf” rather than “Doc123.pdf.zip”.\r\nIntermediate Downloader: RockLoader\r\nOn March 28th and again on March 31st, we observed JavaScript attachments downloading a smaller program (36KB in\r\nsize), which in turn downloaded Locky, instead of downloading the Locky executable directly from the JavaScript. Later in\r\nthe day, the intermediate downloader had been replaced by the actual Locky executable (200KB in size).\r\nInterestingly, the loader first makes a request to bmg.de, but it doesn't do anything with the response and overwrites the\r\nbuffer in the subsequent POST. The malware is able to issue commands including “getjob” to which the server may respond\r\nwith a list of URLs linking to files to download and execute or with a “task”. ”NOTASKS” indicates there are no more files\r\nto download. The network communication is encrypted.\r\nFigure 5: Example of network communication\r\nhttps://www.proofpoint.com/us/threat-insight/post/dridex-actors-get-in-ransomware-with-locky\r\nPage 4 of 8\n\nFigure 6: Algorithm used for encrypting the communication\r\nFigure 7: Example decoded network command “getjob” and “UPDATE” command response from server\r\nFigure 8: XOR algorithm used in newer versions to decrypt downloaded executables\r\nThe table below details all of the parameters exchanged between the loader and the C\u0026C server:\r\nhttps://www.proofpoint.com/us/threat-insight/post/dridex-actors-get-in-ransomware-with-locky\r\nPage 5 of 8\n\nCommand Explanation\r\nID1 Volume serial number of the C drive expressed as a 0-padded decimal\r\nID2 Hardcoded 2's\r\nID3 Random digits\r\nID4 Encoded form windows version information\r\ntime Number of seconds since 1970\r\nresult Possible value is “DONE”\r\ntask Possible value is “NOTASKS”, delete itself from disk via batch script\r\nping\r\nHow long to wait before killing a downloaded malware, and executing the next downloaded malware (see\r\nnotes below)\r\ncommand\r\n- UPDATE: delete itself from disk via batch script (when done processing the UPDATE command and\r\nlaunched the new version of the malware)\r\n- DEL: delete itself from disk via batch script\r\nadd URLs as the source of malware update (or payload)\r\nkey Provides a string used for XOR decryption of downloaded executables\r\nAnother interesting component is the way in which the Windows version is encoded into the ID4 parameter. The first\r\ncharacter is 1 for XP, 2 for Vista, 3 for Windows 7, 4 for Windows 8, and 5 for Windows 10. The 4th character is 1 if the OS\r\nis 64-bit, 0 otherwise.\r\nEach downloaded binary is given a certain amount of time to run before killing it. That time is determined by the time\r\nderived from the ping command (argument - 10 seconds) divided by the number of 'add' URLs specified. Until a response is\r\nreceived from the server, the loader will keep generating requests.\r\nBy default the downloader will sleep two minutes between JSON request attempts, attempting to download the malware.\r\nThe “ping” command in the downloader exists to kill off malware it downloaded that can't manage to connect to its dead C2,\r\nso it can move on to the next URL and try again.  The time in minutes specified by the “ping” command is divided by the\r\nhttps://www.proofpoint.com/us/threat-insight/post/dridex-actors-get-in-ransomware-with-locky\r\nPage 6 of 8\n\nnumber of URLs present in the “add” field to flexibly handle larger numbers of malware URLs while keeping a constraint\r\non the total amount of time required to process the downloads and infections.\r\nRockLoader detects if it is being run as an administrator, and if not, is capable of bypassing UAC on both 32-bit and 64-bit\r\nversions of Windows via the well-known cliconfg.exe / ntwdblib.dll technique.  On 64-bit systems an executable is extracted\r\nand run which performs SetWindowsHookEx-based DLL injection into explorer using a DLL contained in the binary’s\r\nresources, which then triggers the UAC bypass from within the injected DLL.  On 32-bit operating systems, the DLL\r\ninjection is performed via the same method from the original RockLoader binary itself, with the DLL also being embedded\r\ndirectly in the main RockLoader binary.\r\nSince we started writing this blog, the developers of the downloader have already made a number of changes. The\r\ndownloader’s runtime API resolution code has been modified to obfuscate the names of APIs being resolved using a simple\r\n8-byte XOR algorithm.  That same algorithm is also being used to obfuscate an embedded 64-bit UAC bypass executable\r\nand a 32-bit UAC bypass DLL which previously appeared in plain text.  Some APIs that were static imports before, such as\r\nShellExecuteA, are now resolved dynamically. There is also now a new JSON field, “key”. It is used in a simple XOR\r\nroutine to decrypt the downloaded files.\r\nConclusion\r\nThe rapid evolution of delivery mechanisms and obfuscation techniques, as well as the introduction of a new intermediate\r\ndownloader malware demonstrates that the actors behind a number of recent Locky campaigns are working quickly to\r\nbypass detections for this ransomware. As Locky gains both media and industry attention, we can expect the actors to\r\nexplore additional techniques to make their campaigns more effective.\r\nAppendix A: Select EmergingThreats Signatures\r\n2816861 || ETPRO TROJAN Downloader (observed Locky) Checkin\r\n2816862 || ETPRO TROJAN Downloader Possibly Requesting Locky\r\n2816863 || ETPRO TROJAN Locky downloader Mar 28 2016 checkin response\r\n2816864 || ETPRO TROJAN Locky downloader Mar 28 2016 checkin\r\nAppendix B: Python Decoder for Network Protocol\r\n#!/usr/bin/env python\r\nimport sys\r\ndata = sys.stdin.read()\r\nout = \"\"\r\nn = 0\r\nwhile(data[n] == \"\\x0a\"):\r\n     n += 1\r\nfor i in range(n, len(data) - 1, 2):\r\n     k = (ord(data[i + 1]) \u0026 0xf0) \u003e\u003e 4\r\n     x1 = (ord(data[i]) \u0026 0x0f) ^ k\r\n     x2 = ord(data[i + 1]) \u0026 0x0f\r\n     out += chr((x1 \u003c\u003c 4) | x2)\r\nsys.stdout.write(out)\r\nIndicators of Compromise\r\nValue Type Description\r\nhttps://www.proofpoint.com/us/threat-insight/post/dridex-actors-get-in-ransomware-with-locky\r\nPage 7 of 8\n\n5399de40ff93b2887f7944cd13d28bcbe282efc914f97749629cf8b47dd74e73 SHA256 payment_[name]_720202.zip\r\n4f9ab998e364407d4391f0d08f42c5e2148b247124a24d07dbd08fe385515844 SHA256\r\npayment_[name]_720202/(transactio\r\n- c3db2b - copy.js\r\n4f9ab998e364407d4391f0d08f42c5e2148b247124a24d07dbd08fe385515844 SHA256\r\npayment_[name]_720202/(transactio\r\n- c3db2b.js\r\nbd0fcafd22daaaada611399ec9cb0839eab427448b3b308734fe9a3469adff5b SHA256\r\npayment_[name]_720202/(urgent) -\r\n90f0819e.js\r\nce749a469a4e99425efd1fb456dd683aa4e90a3b619c841afd6ea45071c1a46c SHA256 payment_[name]_720202/v1V\r\nfc836ad9555604051333c021735346f6a59bb28f21c99d26c2a7e32419a3e8b0 SHA256 Photos.zip\r\n24912bb06c61ce1188bbfab880d7b09d652fe12418744acbf15d3ecc0ce38ab5 SHA256 96142172-2597q-821010.js\r\n5d6ddb8458ee5ab99f3e7d9a21490ff4e5bc9808e18b9e20b6dc2c5b27927ba1 SHA256 RockLoader (original version)\r\na3d090f64b9dbca420f232966d65ecdca333cb497308cea94477e5219af685ae SHA256 RockLoader (original version)\r\ne4c4e5337fa14ac8eb38376ec069173481f186692586edba805406fa756544d9 SHA256\r\nRockLoader (updated version with\r\n“key” parameter)\r\nSource: https://www.proofpoint.com/us/threat-insight/post/dridex-actors-get-in-ransomware-with-locky\r\nhttps://www.proofpoint.com/us/threat-insight/post/dridex-actors-get-in-ransomware-with-locky\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/dridex-actors-get-in-ransomware-with-locky"
	],
	"report_names": [
		"dridex-actors-get-in-ransomware-with-locky"
	],
	"threat_actors": [],
	"ts_created_at": 1775446633,
	"ts_updated_at": 1775791267,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9cb320eb770b3e44efa9d594471be247a89ea2e2.pdf",
		"text": "https://archive.orkl.eu/9cb320eb770b3e44efa9d594471be247a89ea2e2.txt",
		"img": "https://archive.orkl.eu/9cb320eb770b3e44efa9d594471be247a89ea2e2.jpg"
	}
}