{
	"id": "7e3936d1-cf7d-42cd-b03b-d6e239936eea",
	"created_at": "2026-04-06T00:14:32.476694Z",
	"updated_at": "2026-04-10T03:19:57.051034Z",
	"deleted_at": null,
	"sha1_hash": "bc43881f94974c7d820cf5110f0f0ee6092e5679",
	"title": "Japanese Trends in the Aggressive Activity of the \"Locky\" Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 506523,
	"plain_text": "Japanese Trends in the Aggressive Activity of the \"Locky\"\r\nRansomware\r\nBy Kenichi Terashita\r\nPublished: 2016-04-05 · Archived: 2026-04-05 19:32:49 UTC\r\nThe Locky ransomware has shown no signs of slowing down its aggressive activity since it was first observed in\r\nmid-February up to the present, and it has already emerged as this year's major threat. The following report on\r\nLocky trends within Japan is based on information reported to FortiGuard by FortiGate installations around the\r\nworld.\r\nOverview\r\nA detailed analysis of the ransomware itself has already been provided to our readers by our FortiGuard\r\nresearchers. For more details, please see this blog entry. The post starts with a description of general ransomware\r\nbehavior and then summarizes the domain generation algorithm (DGA), command and control, and encryption\r\naspects from a technical perspective.\r\nCommand and Control Communications of the Locky Botnet\r\nAccording to FortiGuard, Locky-related Botnet communications currently have the tenth highest number of\r\ndetections within Japan. This is second only to the famous Zeus malware, which is frequently documented even\r\ntoday, and the CryptoWall malware, which has been investigated and reported on in detail by the Cyber Threat\r\nAlliance:\r\nhttps://www.fortinet.com/blog/threat-research/japanese-trends-in-the-aggressive-activity-of-the-locky-ransomware.html\r\nPage 1 of 5\n\nFigure 1:  Top 10 Botnet observations in Japan during March 2016\r\nThere is another significant reason why this malware cannot be ignored despite its tenth place ranking. As\r\nmentioned in the beginning of this article, Locky is a new type of ransomware which was only documented\r\nstarting in February of this year. However, it is already showing a level of activity which rivals Zeus and\r\nCryptoWall.\r\nDownloaders Used by Locky\r\nLet's take a look at what kind of malware is currently trending in Japan based on the anti-virus statistical data.\r\nhttps://www.fortinet.com/blog/threat-research/japanese-trends-in-the-aggressive-activity-of-the-locky-ransomware.html\r\nPage 2 of 5\n\nFigure 2:  Top 5 Malware detections in Japan between January and March 2016\r\nAs this graph clearly demonstrates, the W97M/TrojanDownloader.34B7!tr downloader, which uses a Microsoft\r\nWord macro to download and execute an unauthorized program on the infected computer, accounted for over\r\neighty percent of all downloaders.\r\nIt is known that this malware is used to download the ransomware as part of the Locky infection scheme. In\r\naddition, the rapid expansion in infection activity, which was not apparent in the number of Botnet observations,\r\nwas revealed by this data due to the fact that anti-virus detections began to be confirmed in parallel with the Locky\r\nBotnet activity.\r\nSpread by mail attachment, this malware has already been detected in over one million cases. It is extremely\r\ninteresting to note that although the number of detections in the U.S. is less than ten thousand cases, the activity of\r\nthis malware is targeting Japan in particular. In fact, Locky C\u0026C servers are capable of serving the ransomware\r\nnote in Japanese if the victim is identified to be from Japan:\r\nhttps://www.fortinet.com/blog/threat-research/japanese-trends-in-the-aggressive-activity-of-the-locky-ransomware.html\r\nPage 3 of 5\n\nFigure 3:  Locky Ransomware Note in Japanese\r\nFurthermore, JS/Nemucod.GY!tr.dldr, a JavaScript downloader with the fifth highest number of detections, is also\r\nused by Locky.\r\nBecause the downloader itself accounts for most of the detections, we know that the subsequent intrusions by the\r\nunauthorized ransomware downloads are being stopped at the border.\r\nAlthough ransomware related reports seem to be released almost every week by net media sources, it is clear from\r\nthis research that it is already exerting a greater influence within Japan than previously thought.\r\nIt goes without saying that protective measures using security products are needed, but it is imperative that an\r\nadequate backup be created on the off chance that your computer is infected with ransomware and your (or your\r\norganization's) data is held hostage for a ransom. It is also important that the backup data be stored so that it is not\r\nconnected to a network. Any backup data that is stored online means that it can be reached by ransomware.\r\nFortinet Support\r\nAs described above, this blog summarizes Fortinet support issues. Customers who use FortiGuard anti-virus are\r\nautomatically protected from this Locky and malware families that install Locky. Meanwhile, Fortinet customers\r\nare advised to use Locky.Botnet application control signature to enable protection from this threat.\r\nRelated articles\r\n·       A Closer Look at the Locky Ransomware\r\n·       Statistical Look at CryptoWall, TeslaCrypt, and Locky\r\nInquiries about the contents of this article\r\nFortiGuard Labs in Japan\r\nfortiguard_jp@fortinet.com\r\nhttps://www.fortinet.com/blog/threat-research/japanese-trends-in-the-aggressive-activity-of-the-locky-ransomware.html\r\nPage 4 of 5\n\nKenichi Terashita and the FortiGuard Lion Team\r\nSource: https://www.fortinet.com/blog/threat-research/japanese-trends-in-the-aggressive-activity-of-the-locky-ransomware.html\r\nhttps://www.fortinet.com/blog/threat-research/japanese-trends-in-the-aggressive-activity-of-the-locky-ransomware.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/japanese-trends-in-the-aggressive-activity-of-the-locky-ransomware.html"
	],
	"report_names": [
		"japanese-trends-in-the-aggressive-activity-of-the-locky-ransomware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434472,
	"ts_updated_at": 1775791197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bc43881f94974c7d820cf5110f0f0ee6092e5679.pdf",
		"text": "https://archive.orkl.eu/bc43881f94974c7d820cf5110f0f0ee6092e5679.txt",
		"img": "https://archive.orkl.eu/bc43881f94974c7d820cf5110f0f0ee6092e5679.jpg"
	}
}