Back to the tech blog overview

The Comings and Goings (and Comings) of Locky

Ransomware is grabbing a lot of headlines lately given the increasing frequency with which these attacks occur. One prominent form of this advanced cyberthreat is Locky, which we first wrote about almost one year ago. After our initial blog post we saw Locky mostly disappear – at least momentarily. It then came back about three weeks later, but given our broad view of DNS queries from communications service provider (CSP) networks around the globe, we were quickly able to detect the new activity.

While Locky was active for several months, it got relatively quiet in late 2016. The last new Locky DGA seed that we pinpointed was 63218 on December 12, 2016. From that point forward, we saw that Locky had no new seeds where old seeds were used. In the meantime, security researchers only occasionally captured samples with IP-only Command & Control (C&C) variants, which led us to believe it was slowing down. The latest activity of Locky C&C names was observed in mid-January 2017, and then it went silent.

In late April, members of the security research community discovered Locky samples using IP C&Cs, as listed in this virustotal page. Our own continuous Locky monitoring and protection was in production this whole time, since December 2016 when we last saw the new DGA seeds. On the morning of April 26th, (at approximately 8 a.m. UTC), our detection algorithm observed a new seed 556677, using real-time new core domains. Future C&C names were also predicted, and we were able to begin blocking the DGAs.

Examples of the names we discovered on April 26 and April 27:

qeculyflnllsurok[.]click.
dkdaaowtijrmph[.]work.
xocnwrchbmon[.]pw.
uneamigei[.]biz.
xkfqdkgyyuhnxh[.]pw.
yfwhbkhqowymiqy[.]info.
uyewjvef[.]xyz.
fchxdelawpjkawa[.]pw.
mxbswvfgsbpnmhh[.]info.
oxoqgrfkgjqehoj[.]work.
fqvnteq[.]pl.
rscqgvues[.]ru.

Just yesterday, on May 8, we saw the second Locky seed in two weeks — 87133, which we found at approximately 4:00 p.m. UTC. Some old Locky seeds (like 1999) were observed during recent weeks too, so it appears Locky is back in business. A sample of the domains we discovered on May 8 and May 9 follows:

bktpmoeurngmf[.]xyz.
wuawolgu[.]ru.
ijtvcbgtohinroyf[.]info.
hafvlrbvgwodrcoep[.]xyz.
tmtbhckt[.]info.
xvftfxxsg[.]org.
jfftdtxwblrie[.]xyz.
stvaranlqidfdvl[.]click.
gqhrqdcvfxnrx[.]work.
hqymboimievs[.]work.
fodkyhxrsdfeiy[.]su.
cdtmotomcs[.]biz.

As always, we are continuing to monitor Locky behavior so we can protect our global service provider customers (and their subscribers) against this DNS-based method of command and control communication. While ransomware continues to try to wreak havoc on businesses and individuals around the world, it’s highly fulfilling to detect these behaviors as quickly as we do, given our global view of DNS, and take steps to keep CSP networks protected from such malicious threats.

Back to the tech blog overview