{
	"id": "941fbfcf-2ba9-48e7-b979-3498d9c20166",
	"created_at": "2026-04-06T00:21:46.166241Z",
	"updated_at": "2026-04-10T13:12:00.136941Z",
	"deleted_at": null,
	"sha1_hash": "a99ef6a0d7def47734ab0dc85ad2b0ffbddae6c4",
	"title": "Look Into Locky Ransomware | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 950713,
	"plain_text": "Look Into Locky Ransomware | Malwarebytes Labs\r\nBy hasherezade\r\nPublished: 2016-02-29 · Archived: 2026-04-05 15:15:13 UTC\r\nLocky is a new ransomware that has been released (most probably) by the Dridex gang (source). Not surprisingly,\r\nit is well prepared, which means that the threat actor behind it has invested sufficient resources for it, including its\r\nmature infrastructure. Let’s take a look.\r\nAnalyzed samples\r\n7a23368ee84781d7584e058a9922f324\r\npayload: 74dde1905eff75cf3328832988a785de \u003c- main focus of this analysis\r\nd9df60c24ceca5c4d623ff48ccd4e9b9\r\ne7aad826559c8448cd8ba9f53f401182\r\nBehavioral analysis\r\nLocky is usually delivered via downloader in MS Office document (i.e. DOC) or JavaScript – e-mail attachment\r\nin a phishing campaign. The payload is a 32-bit Windows executable, containing the malicious core packed in a\r\ncrypter/dropper (they are various, with various icons).\r\nAfter being deployed it disappears and runs its dropped copy (renamed to svchost.exe) from the %TEMP%\r\nfolder.\r\nEncryption process\r\nFiles that have been encrypted are fully renamed. The beginning of the name (first 16 characters) is the unique ID\r\nof the victim. Then comes the ID of the file and the extension .locky that is typical for this ransomware.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/\r\nPage 1 of 14\n\nThe encrypted content has a high level of entropy and no patterns are visible.\r\nBelow: visualization of raw bytes of square.bmp. Left: unencrypted, right: encrypted.\r\nAfter executing, Locky displays the ransom note in text and bitmap forms, setting the latter as the affected user’s\r\nwallpaper.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/\r\nPage 2 of 14\n\nText is localized to the language detected in the system. Translation looks professional enough (not from the auto\r\ntranslator), which may indicate that the threat actors target multiple countries – and prepared about this particular\r\ndetail well. See sample translations (Polish, Spanish) here.\r\nRegistry keys\r\nLooking at the registry we can find that a few elements have been added.\r\nKey in autorun, to start the malware automatically after the system restart:\r\nData specific to the victim – individual ID, public RSA key and text of the ransom note to be displayed:\r\nPublic key stored in the registry:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/\r\nPage 3 of 14\n\nWebsite for the victim\r\nEach Locky victim has a Web page that can be accessed via Tor. These pages contain further instructions to the\r\nvictim and support for managing payments.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/\r\nPage 4 of 14\n\nNetwork communication\r\nLocky communicates with the CnC, but it is difficult to analyze it via simple sniffing tools because full\r\ncommunication is encrypted:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/\r\nPage 5 of 14\n\nMore about the protocol can be learned by reading the code…\r\nInside\r\nEvery sample of Locky comes packed in some crypter, so the code is unreadable at first.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/\r\nPage 6 of 14\n\nHowever, the core itself is not that obfuscated. After unpacking the outer layer of its defense, we can see valid\r\nstrings and function calls. They give some explanation to the unreadable network capture. The RSA key as well as\r\nthe ransom note are fetched from the server by a HTTP based protocol. The current sample comes with a list of 3\r\nIP addresses.\r\n31.41.47.37\r\n188.138.88.184\r\n85.25.138.187\r\nAdditionally it makes use of  DGA – Domain Generation Algorithm (more described here).\r\nCommunication protocol\r\nLocky’s communication protocol is pretty simple: it consists of a POST request with parameters in a typical\r\nkey=value format. However, as mentioned before, they are not sent by an open text, but wrapped and encrypted.\r\nFirst, the request is prepared and it’s parameters are filled. Then its MD5 is calculated. Both elements are\r\nconcatenated and encrypted together.\r\nExample of wrapped request (before encryption):\r\nSimilarly, when the response comes, first it gets decrypted, then its MD5 is validated – and if it passed the\r\nvalidation then it is parsed.\r\nExample of received response (encrypted):\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/\r\nPage 7 of 14\n\nDecrypting:\r\nDecrypted response turns out to be an RSA key prompted by its hash:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/\r\nPage 8 of 14\n\nLocky uses 3 commands (identified by the key act):\r\ngetkey\r\ngettext\r\nstats\r\nWe have explained the actions in further detail below.\r\n[getkey] Initial registration and fetching the RSA key:\r\nid=[16]\u0026act=getkey\u0026affid=1\u0026lang=[2:lang]\u0026corp=[0-1]\u0026serv=[0-1]\u0026os=[Windows name]\u0026sp=[num]\u0026x64=[0-1]\r\nUnique user ID is 16 byte long hexadecimal string, created locally (pseudocode):\r\nwin_dir = GetWindowsDirectory mount_point_name = GetVolumeNameForVolumeMountPoint(win_dir) GUID = get\r\nAfter that follows:\r\nLanguage: obtained by functions: GetLocaleInfo , GetUserDefaultUILanguage. System info – fetched by\r\nGetVersionEx and GetSystemMetrics(SM_SERVERR2) and translated to the built in lists. IsWow64Process is\r\nused to identify if the system is 64bit.\r\n[gettext] Fetching the ransom text:\r\nid=[16]\u0026act=gettext\u0026lang=[2:lang]\r\n[stats] Sending statistics about encrypted files:\r\nid=[16]\u0026act=stats\u0026path=[root_path]\u0026encrypted=[num]\u0026failed=[num]\u0026length=[num]\r\nWhat is attacked?\r\nLocky attacks 3 types of local drives: fixed, removable and ramdisks…\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/\r\nPage 9 of 14\n\n…as well as network resources. Network shares are mapped using WNetAddConnection2\r\nFor every drive a new encrypting thread is started.\r\nHow does the encryption work?\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/\r\nPage 10 of 14\n\nIn the ransom note attackers claimed that Locky uses both RSA and AES algorithms. Looking at the code we can\r\nconfirm this. Cryptography is implemented using Windows Crypto API and really uses the mentioned algorithms.\r\nFirst, RSA key (2048 bit) is fetched from the server and imported:\r\nThe RSA key is used to encrypt AES keys, which are randomly generated for each file.\r\nBelow – importing a random AES key (128 bit long):\r\nProcessing of the files starts by enumerating them and storing in a list. Then the encryption proceeds by this list.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/\r\nPage 11 of 14\n\nEvery thread collects statistics about the encrypted files (i.e summary of how many files has been encrypted in a\r\nparticular path):\r\nStatistics are encrypted and sent to the C\u0026C.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/\r\nPage 12 of 14\n\nRansom note\r\nAs mentioned before, ransom note in a language detected language by GetUserDefaultUILanguage is downloaded\r\nfrom the server.\r\nMost ransomware drops ransom notes in HTML form, and then opens it in a Web browser. Locky does something\r\nmore interesting: it renders and sets a bitmap as wallpaper.\r\nBitmap rendering:\r\nWallpaper settings are edited by registry keys:\r\nAfter successful rendering and saving the bitmap, it sets it as a wallpaper using SystemParamsInfo (action 0x14 =\r\nSPI_SETDESKWALLPAPER)\r\nConclusion\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/\r\nPage 13 of 14\n\nLocky struck in February but it has already gained popularity. Due to the fact that it is a wide spread attack,\r\ncarried by the same entities that distribute Dridex, it easily triggered interest of many researchers. Upon closer\r\ninspection, however, we can say that it is not that different from common ransomware. It looks solidly written and\r\nwell prepared, but it doesn’t show too much novelty so far.\r\nAppendix\r\nhttp://community.hpe.com/t5/Security-Research/Feeling-even-Locky-er/ba-p/6834311#.VtyC-M3iuV7 –\r\nLocky administration panel\r\nhttp://blog.fortinet.com/post/a-closer-look-at-locky-ransomware-2 – “A Closer Look at Locky\r\nRansomware” by Fortinet\r\nhttps://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky – “Dridex Actors Get In the Ransomware Game With Locky”\r\nhttps://blogs.forcepoint.com/security-labs/locky-ransomware-encrypts-documents-databases-code-bitcoin-wallets-and-more\r\nhttp://phishme.com/locky-a-new-encryption-ransomware-borrowing-ideas-from-the-best/\r\nhttps://www.sensepost.com/blog/2016/understanding-locky/\r\nAbout the author\r\nUnpacks malware with as much joy as a kid unpacking candies.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/"
	],
	"report_names": [
		"look-into-locky"
	],
	"threat_actors": [],
	"ts_created_at": 1775434906,
	"ts_updated_at": 1775826720,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a99ef6a0d7def47734ab0dc85ad2b0ffbddae6c4.pdf",
		"text": "https://archive.orkl.eu/a99ef6a0d7def47734ab0dc85ad2b0ffbddae6c4.txt",
		"img": "https://archive.orkl.eu/a99ef6a0d7def47734ab0dc85ad2b0ffbddae6c4.jpg"
	}
}