{
	"id": "efaa5744-745c-406b-b444-cc4978994924",
	"created_at": "2026-04-06T00:09:47.50467Z",
	"updated_at": "2026-04-10T03:21:45.586473Z",
	"deleted_at": null,
	"sha1_hash": "de0f05ecb57edb51e61f5d39b8dc7a8e3f8db829",
	"title": "Locky Ransomware Returns, but Targets Only Windows XP \u0026 Vista",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1014243,
	"plain_text": "Locky Ransomware Returns, but Targets Only Windows XP \u0026 Vista\r\nBy Catalin Cimpanu\r\nPublished: 2017-06-22 · Archived: 2026-04-05 17:09:11 UTC\r\nThe Locky ransomware is back, spreading via a massive wave of spam emails distributed by the Necurs botnet, but the\r\ncampaign appears to be a half-baked effort because the ransomware is not able to encrypt files on modern Windows OS\r\nversions, locking files only on older Windows XP \u0026 Vista machines.\r\nLocky's return to action is surprising but makes perfect sense. There have been numerous clues hinting that the same group\r\nbehind the Necurs botnet was also behind the Locky ransomware, and more recently, the Jaff ransomware, which many have\r\nconsidered Locky's successor.\r\nAs Necurs slowly switched to Jaff, the Necurs group stopped spreading Locky spam in May, most likely preferring the\r\nnewer Jaff ransomware instead of the older Locky.\r\nhttps://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nLocky's return may be tied to Jaff's fall\r\nThe Necurs group's long-term plan was foiled last week after security researchers from Kaspersky Labs found a flaw in\r\nJaff's encryption routine and created a free utility to help infected victims recover their files without paying the ransom.\r\nThis was unexpected, as researchers were never able to crack Locky's encryption method, and many thought Jaff to be just\r\nas tough, if not harder.\r\nKaspersky's feat appears to have taken the Necurs group by surprise as well. As soon as the free decrypter was made\r\navailable, Jaff spam went down, and beginning yesterday, the Necurs group started distributing Locky once more. This\r\nswitch most likely happened because Locky's encryption was never cracked, and operators have a better chance of extorting\r\nransom from infected hosts.\r\nWindows DEP security feature mitigates new Locky variant\r\nThe new spam waves were detected by a large number of security researchers. All reported that they had trouble infecting\r\nthemselves on their test machines.\r\nIt was Cisco's Talos division that discovered why. According to the company's experts, the Locky authors rushed to replace\r\nthe decrypted Jaff version with Locky and made several errors in their deployment.\r\n\"Upon further investigation, we determined that on systems running Windows 7 or later with Data Execution Prevention\r\n(DEP) would cause the unpacker to fail,\" said Cisco Talos experts. This means that only older OS versions such as XP and\r\nVista are affected.\r\nIn their rush, the Locky authors most likely didn't notice this bug, as they put considerable resources into the ransomware's\r\ndistribution, something they might not have done if they knew its ineffectiveness.\r\nLocky spam accounted for 7.2% of all email spam\r\nCisco says spam for this new Locky variant accounted for nearly 7.2% of the Internet's entire email spam traffic. That's an\r\ninsanely massive spam wave for a ransomware that only targets less than 10% of the entire Windows userbase.\r\nNecurs spam wave distributing new Locky version [Source: Cisco Talos]\r\nFurthermore, this Locky version comes with minimal changes from the version researchers spotted the last time, in May.\r\nThis Locky variant still uses the LOTPR extension at the end of encrypted files, and the same URL structure for C\u0026C\r\nservers. This confirms the theory that the Necurs operators rushed to deploy Locky after Kaspersky published the Jaff\r\ndecrypter.\r\nLocky's new tactics\r\nhttps://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/\r\nPage 3 of 7\n\nBut there are also new wrinkles in this new Locky spam wave as well. Vitaly Kremez, Flashpoint Director of Research,\r\ndiscovered that Locky uses a new method of launching the infected binary on targeted hosts.\r\nIn addition, the Locky spam emails use new texts for the email subjects and body content, albeit they still pretend to be\r\ninvoices, payment receipts, order confirmations, and so on.\r\nThese emails also packed file attachments differently, utilizing a double-nested ZIP structure. The emails Bleeping\r\nComputer analyzed deliver a ZIP file with names in the format of eight random digits (e.g.: 38017832.zip). This initial ZIP\r\nfile contains another ZIP file, which in turns contains an EXE file that runs Locky when executed.\r\nEmails spreading new Locky version\r\nContent of second ZIP file delivered via recent Locky spam\r\nLast but not least, this Locky version also added some anti-debugging protections that prevent the ransomware from running\r\nin virtual machines and other debug environments, which explains why researchers had a hard time analyzing it for the first\r\nfew hours.\r\nOverall, this particular Locky spam run seems to be a rushed effort, but we can expect the ransomware's operators to correct\r\ntheir flaws and start delivering a fixed version in the following days.\r\nBelow are other indicators of compromise for this latest Locky variant.\r\nHash:\r\nhttps://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/\r\nPage 4 of 7\n\n49184047c840287909cf0e6a5e00273c6d60da1750655ad66e219426b3cf9cd8\r\nExtension:\r\n.loptr\r\nRansom note:\r\nloptr-[random_4_chars].htm\r\nRansom Note:\r\n-+ _-$ .= *$_\r\n !!! IMPORTANT INFORMATION !!!!\r\nAll of your files are encrypted with RSA-2048 and AES-128 ciphers.\r\nMore information about the RSA and AES can be found here:\r\n http://en.wikipedia.org/wiki/RSA_(cryptosystem)\r\nhttp://en.wikipedia.org/wiki/Advanced_Encryption_Standard\r\n \r\nDecrypting of your files is only possible with the private key and decrypt program, which is on our secret server.\r\nTo receive your private key follow one of the links:\r\nIf all of this addresses are not available, follow these steps:\r\n 1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html\r\n 2. After a successful installation, run the browser and wait for initialization.\r\n 3. Type in the address bar: g46mbrrzpfszonuk.onion/4AD0FFBA24BF9034\r\n 4. Follow the instructions on the site.\r\n!!! Your personal identification ID: 4AD0FFBA24BF9034 !!!\r\n_=+.*-\r\n$ - -_$|+$+=_.--=-$.\r\nhttps://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/\r\nPage 5 of 7\n\n|. $.|_.*=*-$$-$-_.\r\n$.+$*_* $ |..+*=\r\nWhitelisted folders:\r\ntmp\r\nwinnt\r\nApplication Data\r\nAppData\r\nProgram Files (x86)\r\nProgram Files\r\ntemp\r\nthumbs.db\r\n$Recycle.Bin\r\nSystem Volume Information\r\nBoot\r\nWindows\r\nExtensions:\r\n.yuv, .ycbcra, .xis, .wpd, .tex, .sxg, .stx, .srw, .srf, .sqlitedb, .sqlite3, .sqlite, .sdf, .sda, .s3db, .rwz, .rwl, .rd\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/\r\nPage 6 of 7\n\nSource: https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/\r\nhttps://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/"
	],
	"report_names": [
		"locky-ransomware-returns-but-targets-only-windows-xp-and-vista"
	],
	"threat_actors": [],
	"ts_created_at": 1775434187,
	"ts_updated_at": 1775791305,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/de0f05ecb57edb51e61f5d39b8dc7a8e3f8db829.pdf",
		"text": "https://archive.orkl.eu/de0f05ecb57edb51e61f5d39b8dc7a8e3f8db829.txt",
		"img": "https://archive.orkl.eu/de0f05ecb57edb51e61f5d39b8dc7a8e3f8db829.jpg"
	}
}