{ "id": "323bfd4d-54fd-40e2-9c25-e65ba7acf467", "created_at": "2026-04-06T00:09:01.038447Z", "updated_at": "2026-04-10T13:13:06.816287Z", "deleted_at": null, "sha1_hash": "c61fb849b3056759bc604ae5cccbd2c791034e17", "title": "Locky (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 93002, "plain_text": "Locky (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 21:36:04 UTC\r\nLocky is a high profile ransomware family that first appeared in early 2016 and was observed being active until\r\nend of 2017. It encrypts files on the victim system and asks for ransom in order to have back original files. In its\r\nfirst version it added a .locky extension to the encrypted files, and in recent versions it added the .lukitus\r\nextension. The ransom amount is defined in BTC and depends on the actor.\r\n2021-10-05 ⋅ Trend Micro ⋅ Byron Gelera, Fyodor Yarochkin, Janus Agcaoili, Nikko Tamana\r\nRansomware as a Service: Enabler of Widespread Attacks\r\nCerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk 2020-08-20 ⋅ CERT-FR ⋅ CERT-FR\r\nDevelopment of the Activity of the TA505 Cybercriminal Group\r\nAndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper\r\ntRat TrickBot 2020-07-29 ⋅ ESET Research ⋅ welivesecurity\r\nTHREAT REPORT Q2 2020\r\nDEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB\r\nLocker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin\r\nNemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor 2020-06-22 ⋅ ⋅ CERT-FR ⋅\r\nCERT-FR\r\nÉvolution De Lactivité du Groupe Cybercriminel TA505\r\nAmadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia\r\nRansom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot 2020-05-21 ⋅ Intel 471 ⋅ Intel\r\n471\r\nA brief history of TA505\r\nAndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs\r\nPhiladephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot 2020-05-18 ⋅\r\nThreatpost ⋅ Tara Seals\r\nRansomware Gang Arrested for Spreading Locky to Hospitals\r\nLocky 2020-02-10 ⋅ viXra ⋅ Jason Reaves\r\nA Case Study into solving Crypters/Packers in Malware Obfuscation using an SMT approach\r\nLocky 2019-09-09 ⋅ McAfee ⋅ Chintan Shah, Marc Rivero López, Thomas Roccia\r\nEvolution of Malware Sandbox Evasion Tactics – A Retrospective Study\r\nCutwail Dridex Dyre Kovter Locky Phorpiex Simda 2019-07-30 ⋅ Dissecting Malware ⋅ Marius Genheimer\r\nPicking Locky\r\nLocky 2019-06-12 ⋅ Gdata ⋅ Karsten Hahn\r\nRansomware identification for the judicious analyst\r\nCerber Cryptowall CryptoFortress Locky PadCrypt Spora VirLock 2018-07-26 ⋅ IEEE Symposium on Security and Privacy\r\n(SP) ⋅ Alex C. Snoeren, Damon McCoy, Danny Yuxing Huang, Elie Bursztein, Jonathan Levin, Kirill Levchenko, Kylie McRoberts, Luca\r\nInvernizzi, Maxwell Matthaios Aliapoulios, Vector Guo Li\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.locky\r\nPage 1 of 2\n\nTracking Ransomware End-to-end\r\nCerber Locky WannaCryptor 2018-03-20 ⋅ Stormshield ⋅ Mehdi Talbi\r\nDe-obfuscating Jump Chains with Binary Ninja\r\nLocky 2017-11-07 ⋅ ThreatVector ⋅ Cylance Threat Research Team\r\nLocky Ransomware\r\nLocky 2017-08-20 ⋅ MyOnlineSecurity ⋅ MyOnlineSecurity\r\nreturn of fake UPS cannot deliver malspam with an updated nemucod ransomware and Kovter payload\r\nCold$eal Locky 2017-08-16 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nLocky Ransomware switches to the Lukitus extension for Encrypted Files\r\nLocky 2017-08-10 ⋅ ⋅ botfrei Blog ⋅ Tom Berchem\r\nWeltweite Spamwelle verbreitet teuflische Variante des Locky\r\nLocky 2017-07-18 ⋅ Elastic ⋅ Ashkan Hosseini\r\nTen process injection techniques: A technical survey of common and trending process injection techniques\r\nCryakl CyberGate Dridex FinFisher RAT Locky 2017-06-22 ⋅ Bleeping Computer ⋅ Catalin Cimpanu\r\nLocky Ransomware Returns, but Targets Only Windows XP \u0026 Vista\r\nLocky 2017-06-21 ⋅ Cisco ⋅ Alex Chiu, Jaeson Schultz, Matthew Molyett, Sean Baird, Warren Mercer\r\nPlayer 1 Limps Back Into the Ring - Hello again, Locky!\r\nLocky 2017-01-31 ⋅ Malwarebytes ⋅ Malwarebytes Labs\r\nLocky Bart ransomware and backend server analysis\r\nLocky 2016-07-07 ⋅ Pierluigi Paganini\r\nNew threat dubbed Zepto Ransomware is spreading out with a new email spam campaign. It is a variant of the\r\nrecent Locky Ransomware.\r\nLocky 2016-03-01 ⋅ Malwarebytes ⋅ hasherezade\r\nLook Into Locky Ransomware\r\nLocky\r\n[TLP:WHITE] win_locky_auto (20241030 | Detects win.locky.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.locky\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.locky\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.locky" ], "report_names": [ "win.locky" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "9099912b-a00a-4afb-8294-c6d35af421a1", "created_at": "2023-01-06T13:46:39.338108Z", "updated_at": "2026-04-10T02:00:03.292102Z", "deleted_at": null, "main_name": "Scarab", "aliases": [], "source_name": "MISPGALAXY:Scarab", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "e7d03ac8-7d6f-4ea0-83a9-10dff2ea1486", "created_at": "2022-10-25T16:07:24.158325Z", "updated_at": "2026-04-10T02:00:04.884772Z", "deleted_at": null, "main_name": "Scarab", "aliases": [ "UAC-0026" ], "source_name": "ETDA:Scarab", "tools": [ "Scieron" ], "source_id": "ETDA", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434141, "ts_updated_at": 1775826786, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c61fb849b3056759bc604ae5cccbd2c791034e17.pdf", "text": "https://archive.orkl.eu/c61fb849b3056759bc604ae5cccbd2c791034e17.txt", "img": "https://archive.orkl.eu/c61fb849b3056759bc604ae5cccbd2c791034e17.jpg" } }