Botnet C&C



Locky is a kind of ransomware that encrypts data on victim local system. According it's encryption algorithm, there are 2 major variants appears in all over the world.


All infected document files are renamed with appended new suffix. The suffix is changing among different variants. Below is the list that under our collection:

.locky .zepto .odin .shit .thor .aesir .zzzzz .osiris

When the whole infection finishes, Locky will popup a generated html and picture for showing the payment instruction.


The first major variant used custom algorithm to encrypt it's traffic between CnC. But the second major variant (until now) changed to RSA encryption to protect it's traffic.

The Locky hardcoded several IP as it's CnC, then appended one of following uri depending on different minor variant.

/message.php /linuxsucks.php /information.cgi /checkupdate


It is not recommended that any attempts to remove this family of malware be performed manually. Fortinet recommends running a full scan of your system using FortiClient Endpoint Protection to remove this threat.