Ahmed Sonbol

Detecting Locky variants using Security Analytics

Blog Post created by Ahmed Sonbol Employee on Feb 22, 2016

Locky is a new ransomware family that is getting a lot of interest among security researchers because it is being delivered by the same actors behind the notorious Dridex banking trojan. Locky spreads through spam campaigns with attached office documents that use embedded macros to download Locky binaries to their victims. You can read more about Locky on Proofpoint blog.


In this blog post, we will see how its network activity looks in RSA Security Analytics. After the user enables the macro, an executable is downloaded to the machine as follows:






Downloading executables is definitely not exclusive to Locky or any ransomware family but it is suspicious enough to warrant further investigation. Once the transfer is complete, Locky runs and starts to communicate with its C2 server as follows:






Assuming the appropriate meta keys are enabled, the following query can be used to detect Locky network traffic:

               service = 80 && action = 'post' && filename = 'main.php' && client !exists


Scan results for a Locky variant can be found here.


All the IOCs from those HTTP sessions were added to the following RSA FirstWatch Live feeds:

  • RSA FirstWatch Command and Control IPs
  • RSA FirstWatch Command and Control Domains