Kaspersky delves deep into Locky threat, which has spread to 114 countries

A thorough analysis of the ransomware Locky by Kaspersky Lab has yielded a series of highly detailed insights on the pernicious software, according to the company's Securelist blog post.

According to the Apr. 6 post, Kaspersky has so far detected and reported Locky infection attempts in 114 different countries, with the heaviest concentration of attacks in Germany (3,989 attacks) and France (2,372 attacks). Kuwait (976) has been the third most commonly targeted country, while the U.S. is seventh (188). (These figures do not even include early-stage detections, where malicious spam or downloaders were discovered and successfully eliminated before Locky could be transmitted.)

“What really caught our attention was the massive spamming campaign which distributes Locky in more than 100 countries all over the world at once,” said Kaspersky researcher and blog author Fedor Sinitsyn, in an email interview with “It turns out the most unique and probably dangerous feature of Locky is not within the code of this malware, but rather in its aggressive propagation.”

In his post, Sinitsyn explains that the Trojan spreads via social engineering— typically with spam emails weaponized with malicious attachments. Originally, these attachments were Microsoft Word documents containing malicious macros, but that has evolved into ZIP archives containing obfuscated code written in JavaScript.

“Maybe it's because modern versions of MS Office don't have macros enabled by default, and the criminals thought that not enough potential victims are getting infected because of it,” Sinitsyn told “With malicious JS-downloaders, the victim doesn't need to enable anything. [They just need to] double-click on the script inside an archive, so the criminals behind Locky might have thought this propagation technique would increase the infection rate.”

When opened, the 100 kb malware file, which was developed in Microsoft Visual Studio, copies itself into an infected machine's directory and eliminates the usual notification that warns users against downloading unknown files from the Internet. The malware then connects and communicates with a command and control center, before encrypting the affected machine's files and delivering a ransom demand.

According to the post, the Trojan's code contains between one and three C&C IP addresses. But it also features an algorithm that generates six new C&C addresses per day.

Meanwhile, the ransom message contains a series of links that lead to the same Tor network website. Sinitsyn noted that Russian and other Soviet languages are not among the supported languages listed in the ransom page's source code. “For some reason the cybercriminals are not that keen on targeting users in countries where those languages are spoken,” wrote the researcher in his blog. Cybersecurity experts often say such behavior is a clue that the attackers themselves are likely based in this language-speaking region.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.