2017-08-09 - "DIABLO6" VARIANT OF LOCKY RANSOMWARE

NOTICE:

ASSOCIATED FILES:

  • 2017-08-09-Locky-ransomware-traffic.pcap   (556,954 bytes)
  • 2017-08-09-Locky-decryption-instructions-diablo6.bmp   (5,666,614 bytes)
  • 2017-08-09-Locky-decryption-instructions-diablo6.htm   (8,913 bytes)
  • 2017-08-09-Locky-ransomware.exe   (620,544 bytes)
  • 2017-08-09 (263).vbs   (5,892 bytes)
  • 2017-08-09 (780).zip   (2,125 bytes)

 

NOTES:

 

INFO ABOUT THIS:

 

EMAILS


Shown above:  An example of what the emails looked like.

 


Shown above:  The zip archive attachement and extracted VBS file.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

ZIP ARCHIVE FROM THE EMAIL:

EXTRACTED .VBS FILE:

LOCKY RANSOMWARE EXECUTABLE RETRIEVED FROM THE INFECTED HOST:

 

SCREENSHOTS


Shown above:  Screenshot from a Windows host infected with this Diablo6 variant of Locky.

 


Shown above:  Examples of encrypted files.

 


Shown above:  Locky decryption from the Tor domain.

 


Shown above:  0.5 bitcoin was the ransom cost.

 

Click here to return to the main page.