Locky
Locky is a ransomware family first released in 2016 and widely recognized as one of the early major ransomware operations. It was primarily distributed through large-scale spam and phishing campaigns, commonly using invoice- or business-themed lures with malicious Microsoft Word or Excel attachments containing macros; additional delivery methods mentioned include DOCM attachments, zipped JavaScript attachments, exploit kits, and botnet-driven malspam. Multiple sources in the content state that Locky shared delivery infrastructure and methods with Dridex, including similar subject lines, attachments, downloader mechanisms, and use of the Necurs botnet; some reporting also attributes Locky campaigns to TA505 and/or actors referred to as Evil Corp or TA505. TA505 is specifically noted as having introduced Locky in February 2016 and later using COVID-19-themed phishing emails in March 2020 to deliver Locky and Dridex, including lures targeting healthcare organizations.
Once executed, Locky encrypts files on local, removable, RAM-disk, and network drives, renames them either to random 16-character names or, in at least one described pattern, to {unique ID per victim}{identifier}.locky, and appends variant-specific extensions. Extensions explicitly mentioned in the content include .locky, .zepto, .odin, .thor, .aesir, .zzzzz, and .osiris. After encryption, Locky displays a ransom note and instructs victims to use the Tor Browser to access a payment site; ransom demands in the cited material are typically 0.5 to 1 bitcoin. The malware is described as using RSA-2048 and AES-128, with server-side key generation, and no decrypter is mentioned in the cited Locky/Osiris reporting.
The content notes that Locky was heavily active in 2016, with large spam waves reaching hundreds of thousands to millions of users, and that it was among the ransomware families that helped commercialize data-extortion at scale. Healthcare is specifically cited as an attractive target class for ransomware operators such as those behind Locky, and real-world impact mentioned includes Hollywood Presbyterian Medical Center paying a bitcoin ransom in February 2016 after an email-attachment infection, as well as infections at UK schools. Locky is also listed as a ransomware family dropped by Magnitude Exploit Kit and appeared prominently in Spamhaus botnet-controller statistics for 2016. Variant naming in the content includes Zepto and Osiris as Locky variants.
High-confidence indicators and artifacts directly mentioned include encrypted-file extensions .locky and .osiris; ransom-note naming pattern OSIRIS-[random].htm for the Osiris variant; and sample hashes from a 2019 analysis including SHA-256 2e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b, ed2f09e648dca8f0ca75466b1442f6e599afddc80777e0559fb6881c6cd9ff3, b60fde281d91cc3e7ea3e343ee5b13a31def564903c0136ae928f70e25c3c02, afc78b5630726c907a69d62a6c8a7d86326e21383fe3aae1efc715342238e02, and bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3. One analysis also observed a spawned unsigned svchost.exe executing from C:\Users\IEUser\AppData\Local\Temp\ during sample execution.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Google TAG Team discovered CVE-2019–1367 exploited in the wild by a threat actor... CVE-2019–1367 enables Remote Code Execution (RCE) in the context of Internet Explorer in all version from 8, 9, 10 and 11 due to a memory corruption in jscript.dll... Microsoft released a patch and encouraged users to disable jscript.dll.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
More recent Hive0065 campaigns reported in March 2020 exploited the current interest in the COVID-19 pandemic, using Coronavirus-themed phishing emails to deliver the Locky ransomware and the Dridex banking Trojan.
Locky ransomware operates using the same delivery method for the downloader, with similar subject lines and attachments. Attackers also use the same botnets to deliver both Dridex and Locky ransomware, sometimes simultaneously.
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueIt does not include other fraudulent infrastructure, such as payment sites for ransomware (TorrentLocker, Locky, Cerber etc) or malware distribution sites.
Initial Access
2 techniquesActors typically distribute Dridex malware through phishing e-mail spam campaigns. Phishing messages employ a combination of legitimate business names and domains, professional terminology, and language implying urgency to persuade victims to activate open attachments.
In November 2019, X-Force IRIS observed a threat actor targeting enterprise employees in Europe with a spear phishing email impersonating Onehub... Hive0065 sends a malicious email to employees purporting to be from an HR representative’s account.
Execution
4 techniquesthe spreading mechanism via macros in Word or Excel documents sent out via carefully crafted spear-phishing emails is exactly the same for both of these strains.
"Distribution methods... zipped JS attachments" and "...zipped JavaScript code in the emails."
"Distribution methods... include exploit kits"
Phishing messages... persuade victims to activate open attachments... By default, software generally prevents execution of macros without user permission. Attached files... contain instructions on how a user should enable content and specifically macros, effectively using social engineering to facilitate the download.
Privilege Escalation
1 techniqueStealth
4 techniquesWould you look at that! We found ourselves some poor mans obfuscation :D A whole bunch of random strings to make the analyst's life just a little bit harder.
After a couple of seconds it spawns a new svchost.exe process with the same icon as Locky.exe had previously... it is actually run from C:\Users\IEUser\AppData\Local\Temp\ and it's unsigned as well.
Discovery
1 techniqueCommand and Control
3 techniquesSpamhaus researchers issued listings for over 7,000 botnet Command & Control ("C&C") servers... These C&C servers enabled and controlled online crime such as credential theft, e-banking fraud, spam and DDoS attacks. They were also used for the retrieval of stolen data.
This Trojan is attached in spammed mail. It downloads other malware such as LOCKY ransomware and DRIDEX malware.
"...Necurs's bots consistently polled the DGA until a C&C server replied..."
Impact
2 techniquesOnce downloaded and active, Dridex has a wide range of capabilities, from downloading additional software to establishing a virtual network to deletion of files.
While WannaCry might be seen as a failed operation from a financial perspective for the attackers ... the epidemic has raised the profile of ransomware; both to the general public and likely for the cybercriminal fraternity as well. Ransomware has already experienced great success ... because it simply works. People will pay ransom demands to get their encrypted files back.
IOCs tracked for this family
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
39 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware family mentioned as one of the payloads delivered by Magnitude Exploit Kit.
Legacy ransomware family referenced only for historical comparison: a 2016 'Osiris' variant was based on Locky; the newly reported Osiris strain is stated to be unrelated.
Legacy ransomware family referenced only to clarify that the newly reported Osiris is not related to the 2016 Osiris/Locky iteration.
Ransomware that encrypts files and demands payment for decryption; known for widespread distribution via email attachments.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.