Actors behind Dridex launch another spam campaign, delivering Locky Ransomware

Recent reports have indicated that the actors behind Dridex, originally a banking Trojan distributor, have switched tactics, and are now heavily pushing out a new ransomware called Locky.

The current method of distribution is via a spam email, which contains a Word document. Additional reports have stated that it is being distributed via the Neutrino Exploit Kit.


Note, the file name may be different for every email sent, but the file will always be a Word document.

If you open the email, you’ll see an alert by Word, which warns you that the document contains a macro. Macros allow users to “code” specific procedures into the document, to help automate or repeat specific tasks.

dodi 1

However, in the case of Locky, it is used to install the malware on the machine.

dodi 2

This is a screenshot of the actual macro that delivers Locky.

If you happen to ignore the alert from Word, and clicked on Enable content, Locky will scan your system for specific files, and will encrypt them, or modify them so that you cannot use them anymore, unless you pay the ransom.

The files it encrypts are commonly found on end users’ machines, such as .doc, .csv, .pdf, .jpg, etc. However, what should be more concerning to enterprise customers is that it will also look for .SQL, .SQLiteDB, and .SQLite3 files, which are associated with databases. Additionally, it looks to encrypt encryption keys (.crt and .key).

Once the malware has been executed, the Desktop wallpaper may change, to show instructions on how to decrypt your files.

dodi 3

It will also drop text files that contain the same instructions on how to decrypt your files. These files are named _Locky_recover_instructions.txt.

dodi 4

The transaction is all too familiar for many of the other types of ransomware out there. The malware authors have you visit a website, hosted on the TOR network, to provide payment. For Locky, the current amount is .5 BTC, or the equivalent of $209.33.

dodi 5

Bitcoin site hxxps://

We’ve looked into the Bitcoin address, 151xDKSeevSsBYu4oeFczYSb5z7UPY35zv, but currently do not see any transactions.

dodi 6

PC Matic users should know that this malware is blocked, and cannot be executed on machines protected with Super Shield.

dodi 7

You can read additional information about Locky Ransomware here.

 1,435 total views,  1 views today

(Visited 1 times, 1 visits today)

2 thoughts on “Actors behind Dridex launch another spam campaign, delivering Locky Ransomware”

  1. only 209 bucks to get your files back? What a bargain! Seriously, this serves as a reminder to everyone, to keep regular image and file backups: You never know when you may need them!

    1. @Randy Bell: it’s also a good reminder to not download random attachments and if someone you know spontaniously sends you one, how much of a champion idea it is to contact them first and ask if they purposely sent it. if they didn’t, then its proof positive that the email should be tossed in the bin and forgotten about.

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.