{
	"id": "3f1d7354-763f-478c-8224-6177cced7c17",
	"created_at": "2026-04-06T00:17:15.084019Z",
	"updated_at": "2026-04-10T03:21:26.951993Z",
	"deleted_at": null,
	"sha1_hash": "d98077242539e0705f34abc318ccaf1931b48518",
	"title": "Locky Ransomware Virus Delivered by Actor Behind Dridex | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 490377,
	"plain_text": "Locky Ransomware Virus Delivered by Actor Behind Dridex |\r\nProofpoint US\r\nBy February 16, 2016 Proofpoint Staff\r\nPublished: 2016-02-17 · Archived: 2026-04-05 14:55:27 UTC\r\nLocky Ransomware Overview\r\nProofpoint researchers have discovered a new ransomware named \"Locky\" being distributed via MS Word\r\ndocuments with malicious macros. While a variety of new ransomware has appeared since the end of 2015, Locky\r\nransomware stands out because it is being delivered by the same actor behind many of the Dridex malware\r\ncampaigns we have tracked over the last year.\r\nLocky Spam Distribution\r\nAs with most malware campaigns this year, actors are distributing Locky ransomware through document\r\nattachments spam. In this campaign, messages from random senders with the subject \"ATTN: Invoice J-12345678\" deliver an attachment \"invoice_J-12345678.doc\". The attachments are MS Word documents containing\r\nmacros which download and install the Locky ransomware, first observed by Proofpoint on February 16, 2016.\r\nThe botnet (a group of infected machines running a spam bot) delivering the spam is the same botnet that\r\ndistributes the vast majority of messages bearing the Dridex banking Trojan. In the past, this botnet delivered\r\nDridex botnet IDs 120, 122, 123, 220, 223, 301 (among others), as well as some other non-Dridex malware such\r\nas Ursnif (for example on 1-5-2016), Nymaim (12-15-2015), TeslaCrypt (12-14-2015), and Shifu (10-07-2015).\r\nhttps://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky\r\nPage 1 of 7\n\nFigure 1 : Email lure associated with Locky\r\nThe actors behind the Locky ransomware attack are clearly taking a cue from the Dridex playbook in terms of\r\ndistribution. Just as Dridex has been pushing the limits of campaign sizes, now we're seeing even higher volumes\r\nwith Locky, rivaling the largest Dridex campaigns we have observed to date.\r\nCoincidentally, the same day we tracked the large spam campaign, we also spotted Locky ransomware being\r\ndistributed in a Neutrino thread usually spreading Necurs. When run on the same virtual machine, the document\r\nfrom both the Neutrino drop and the spam emails generate the same individual ID, point to the same Bitcoin\r\nwallet, and appear to use the same infrastructure. This can be explained either by a common actor or, more likely,\r\nby a distribution in affiliate mode.\r\nFigure 2 : Locky being dropped by the Neutrino EK\r\nhttps://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky\r\nPage 2 of 7\n\nWhen users open the attached document, they must enable macros to be infected.\r\nFigure 3: Attachment showing macro enabling\r\nLocky Ransomware\r\nThe ransomware encrypts files based on their extension and uses notepad to display the ransom message (Figure\r\n5). Additionally, it replaces the Desktop background with the ransom message (Figure 4). If the user visits the\r\n.onion (or tor2web) links specified in the ransom message, s/he is instructed to buy Bitcoins, send them to a\r\ncertain Bitcoin address, and then refresh the page to wait for the decryptor download. We have not confirmed if\r\nthe decryptor will actually be provided if the user pays.\r\nhttps://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky\r\nPage 3 of 7\n\nFigure 4: Desktop background after Locky is installed\r\nFigure 5: Ransom message displayed in notepad\r\nhttps://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky\r\nPage 4 of 7\n\nFigure 6: Decryption website\r\nLocky ransomware encrypts most of the useful file formats on the user's local disk drives; some reports are\r\nemerging that Locky also encrypts files on mapped shared drives. The affected file formats are listed below:\r\n.m4u | .m3u | .mid | .wma | .flv | .3g2 | .mkv | .3gp | .mp4 | .mov | .avi | .asf | .mpeg | .vob | .mpg | .wmv | .fla | .swf |\r\n.wav | .mp3 | .qcow2 | .vdi | .vmdk | .vmx | .gpg | .aes | .ARC | .PAQ | .tar.bz2 | .tbk | .bak | .tar | .tgz | .gz | .7z | .rar |\r\n.zip | .djv | .djvu | .svg | .bmp | .png | .gif | .raw | .cgm | .jpeg | .jpg | .tif | .tiff | .NEF | .psd | .cmd | .bat | .sh | .class |\r\n.jar | .java | .rb | .asp | .cs | .brd | .sch | .dch | .dip | .pl | .vbs | .vb | .js | .asm | .pas | .cpp | .php | .ldf | .mdf | .ibd |\r\n.MYI | .MYD | .frm | .odb | .dbf | .db | .mdb | .sql | .SQLITEDB | .SQLITE3 | .asc | .lay6 | .lay | .ms11 (Security\r\ncopy) | .ms11 | .sldm | .sldx | .ppsm | .ppsx | .ppam | .docb | .mml | .sxm | .otg | .odg | .uop | .potx | .potm | .pptx |\r\n.pptm | .std | .sxd | .pot | .pps | .sti | .sxi | .otp | .odp | .wb2 | .123 | .wks | .wk1 | .xltx | .xltm | .xlsx | .xlsm | .xlsb | .slk\r\n| .xlw | .xlt | .xlm | .xlc | .dif | .stc | .sxc | .ots | .ods | .hwp | .602 | .dotm | .dotx | .docm | .docx | .DOT | .3dm | .max |\r\n.3ds | .xml | .txt | .CSV | .uot | .RTF | .pdf | .XLS | .PPT | .stw | .sxw | .ott | .odt | .DOC | .pem | .p12 | .csr | .crt | .key\r\nLocky also appears to generate DGA traffic for command and control (the list of domains below were unregistered\r\nat the time of investigation):\r\nvkrdbsrqpi[.]de                               \r\njaomjlyvwxgdt[.]fr                         \r\nhttps://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky\r\nPage 5 of 7\n\nwpogw[.]it                         \r\nofhhoowfmnuihyd[.]ru\r\nWe detected several filesystem IOCs (files, registry keys used for persistence, etc):\r\nRegistry: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Locky\r\nRegistry: HKCU\\Software\\Locky\\id\r\nRegistry: HKCU\\Software\\Locky\\pubkey\r\nRegistry: HKCU\\Software\\Locky\\paytext\r\nFile: C:\\Users\\(username)\\AppData\\Local\\Temp\\ladybi.exe\r\nFile: C:\\Users\\(username)\\Documents\\_Locky_recover_instructions.txt\r\nCommand: vssadmin.exe Delete Shadows /All /Quiet\r\nCommand: \"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\Admin\\Desktop\\_Locky_recover_instructions.txt\r\nAs both endpoint and network protection measures become increasingly capable of handling the ransomware that\r\nmade headlines in the last couple of years (CryptoLocker, CryptoWall, etc.), new variants and strains will continue\r\nto emerge. Check back later this week for a complete rundown of several new ransomwares that are making the\r\nrounds in the wild.\r\nLocky Malware IOCs\r\nSample hashes\r\ne95cde1e6fa2ce300bf778f3e9f17dfc6a3e499cb0081070ef5d3d15507f367b (Neutrino EK)\r\n5466fb6309bfe0bbbb109af3ccfa0c67305c3464b0fdffcec6eda7fcb774757e (attachment)\r\nFilesystem IOCs (files, registry keys used for persistence, etc):\r\nRegistry: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Locky\r\nRegistry: HKCU\\Software\\Locky\\id\r\nRegistry: HKCU\\Software\\Locky\\pubkey\r\nRegistry: HKCU\\Software\\Locky\\paytext\r\nFile: C:\\Users\\(username)\\AppData\\Local\\Temp\\ladybi.exe\r\nFile: C:\\Users\\(username)\\Documents\\_Locky_recover_instructions.txt\r\nCommand: vssadmin.exe Delete Shadows /All /Quiet\r\nCommand: \"C:\\Windows\\system32\\NOTEPAD.EXE\" C:\\Users\\Admin\\Desktop\\_Locky_recover_instructions.txt\r\nPayloads downloaded by macro:\r\n[hxxp://www.iglobali[.]com/34gf5y/r34f3345g.exe]\r\n[hxxp://www.southlife[.]church/34gf5y/r34f3345g.exe]\r\n[hxxp://www.villaggio.airwave[.]at/34gf5y/r34f3345g.exe]\r\n[hxxp://www.jesusdenazaret[.]com.ve/34gf5y/r34f3345g.exe]\r\n[hxxp://66.133.129[.]5/~chuckgilbert/09u8h76f/65fg67n]\r\n[hxxp://173.214.183[.]81/~tomorrowhope/09u8h76f/65fg67n]\r\n[hxxp://iynus[.]net/~test/09u8h76f/65fg67n]\r\nhttps://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky\r\nPage 6 of 7\n\nLocky C2:\r\n[hxxp://109.234.38[.]35/main.php]\r\n[hxxp://lneqqkvxxogomu[.]eu/main.php]\r\n[hxxp://qpdar[.]pw/main.php]\r\n[hxxp://ydbayd[.]de/main.php]\r\n[hxxp://ssojravpf[.]be/main.php]\r\n[hxxp://gioaqjklhoxf[.]eu/main.php]     \r\n[hxxp://txlmnqnunppnpuq[.]ru/main.php]\r\nPayment URIs (Locky asks user to click these links):\r\n[hxxp://6dtxgqam4crv6rr6.tor2web[.]org]\r\n[hxxp://6dtxgqam4crv6rr6.onion[.]to]\r\n[hxxp://6dtxgqam4crv6rr6.onion[.]cab]\r\n[hxxp://6dtxgqam4crv6rr6.onion[.]link]\r\n[hxxps://6dtxgqam4crv6rr6[.]onion]\r\nSource: https://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky\r\nhttps://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky\r\nPage 7 of 7\n\nLocky ransomware emerging that Locky encrypts most also encrypts of the useful files on mapped file formats shared drives. on the user's The affected local disk drives; file formats some reports are listed are below:\n.m4u | .m3u | .mid | .wma | .flv | .3g2 | .mkv | .3gp | .mp4 | .mov | .avi | .asf | .mpeg | .vob | .mpg | .wmv | .fla | .swf |\n.wav | .mp3 | .qcow2 | .vdi | .vmdk | .vmx | .gpg | .aes | .ARC | .PAQ | .tar.bz2 | .tbk | .bak | .tar | .tgz | .gz | .7z | .rar |\n.zip | .djv | .djvu | .svg | .bmp | .png | .gif | .raw | .cgm | .jpeg | .jpg | .tif | .tiff | .NEF | .psd | .cmd | .bat | .sh | .class |\n.jar | .java | .rb | .asp | .cs | .brd | .sch | .dch | .dip | .pl | .vbs | .vb | .js | .asm | .pas | .cpp | .php | .ldf | .mdf | .ibd |\n.MYI | .MYD | .frm | .odb | .dbf | .db | .mdb | .sql | .SQLITEDB | .SQLITE3 | .asc | .lay6 | .lay | .ms11 (Security\ncopy) | .ms11 | .sldm | .sldx | .ppsm | .ppsx | .ppam | .docb | .mml | .sxm | .otg | .odg | .uop | .potx | .potm | .pptx |\n.pptm | .std | .sxd | .pot | .pps | .sti | .sxi | .otp | .odp | .wb2 | .123 | .wks | .wk1 | .xltx | .xltm | .xlsx | .xlsm | .xlsb | .slk\n| .xlw | .xlt | .xlm | .xlc | .dif | .stc | .sxc | .ots | .ods | .hwp | .602 | .dotm | .dotx | .docm | .docx | .DOT | .3dm | .max |\n.3ds | .xml | .txt | .CSV | .uot | .RTF | .pdf | .XLS | .PPT | .stw | .sxw | .ott | .odt | .DOC | .pem | .p12 | .csr | .crt | .key\nLocky also appears to generate DGA traffic for command and control (the list of domains below were unregistered\nat the time of investigation):       \nvkrdbsrqpi[.]de       \njaomjlyvwxgdt[.]fr       \n   Page 5 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky"
	],
	"report_names": [
		"Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky"
	],
	"threat_actors": [],
	"ts_created_at": 1775434635,
	"ts_updated_at": 1775791286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d98077242539e0705f34abc318ccaf1931b48518.pdf",
		"text": "https://archive.orkl.eu/d98077242539e0705f34abc318ccaf1931b48518.txt",
		"img": "https://archive.orkl.eu/d98077242539e0705f34abc318ccaf1931b48518.jpg"
	}
}