When we published our recent Locky blog post, we didn't expect it to have such a quick effect: a day after the post went online, this notorious ransomware went offline. We immediately figured it out - a blog post can change the world.
Or maybe it can't.
It took Locky three weeks to come back into our lives. First, we saw the Necurs botnet (which provides Locky's infrastructure) re-appear a couple of days ago after being down on May 31st. And then, very early on June 22nd, we detected new Locky Command & Control (C&C) servers. As mentioned in previous posts, the Nominum Data Science team has visibility into a massive worldwide feed of DNS queries--roughly 100 billion queries/day--plus an arsenal of proprietary tools, which makes early detection of a malware outbreak possible.
Below are some of our initial findings:
- "Comeback Locky" is still using DGA (domain generation algorithm) to generate the domains for its C&C traffic. This new variant is using a new seed (7743), which replaces seeds that were active at the end of May (such as 9056). Another previous-generation Locky seed (7773) is still active today.
- While previous variants of Locky mainly targeted Germany and France, we suspect that the current variant might have its eye on other European countries based on the geo-location of the traffic we've seen so far.
- Not even 24 hours after the initial outbreak we've already identified 12 unique Locky domain names and hundreds of queries for these domains. The following is a sample set of the domains:
Blocking traffic to these domains is a good way to avoid the threat of Locky, as we've done for service providers that use Nominum, now part of Akamai, ThreatAvert. As always we'll keep looking for the next step in the evolution of ransomware and respond accordingly. Stay tuned as the Locky situation unfolds.