Forcepoint exposes Locky domains

Forcepoint details domains delivering Locky ransomware for March
Forcepoint details domains delivering Locky ransomware for March

Security vendor Forcepoint has published more information on the domains that the Locky ransomware will use during March. This list should provide security administrators with the ability to track potentially infected emails arriving in their company. By doing so, they can start to mitigate the damage caused by Locky.

What is Locky?

For those who have not come across Locky it is the latest generation of ransomware. It arrives as an infected attachment, often a Microsoft Word file, pretending to be an invoice. It takes advantage of macros to encrypt files on the computer and rename their extension to .locky. If macros are not enabled it will prompt the user to enable them in order to view the invoice.

As with all ransomware, infected files can be unlocked by purchasing a key from the malware authors via the Dark Web. The price of the key varies depending on who is distributing the ransomware but it is set in Bitcoins and the user has to purchase sufficient bitcoins to recover their files.

What has Forcepoint published?

Researchers at Forcepoint, formerly known as Websense and Raytheon, have published their second piece on work on the core code behind Locky. Their focus has been on the Domain Generating Algorithm (DGA) which Locky uses download its malware from. A DGA allows malware authors to constantly change the servers from which their malware is distributed. As such, it makes it hard for security teams to block those domains.

In the blog posted by Nicholas Griffin, Forcepoint say that: “..the Locky malware has incorporated a new domain generation algorithm (DGA).” Given that Forcepoint had previously exposed the original domains that Locky used it is likely that this new code was a direct response by the ransomware authors to keep ahead of security teams.

The blog goes on to say : “We have now decided to publish this new DGA, which is more robust and less deterministic. Because of the changes we have observed, we believe that it is highly likely that the Locky developers will not change this algorithm again for the foreseeable future.”

This is good news for security teams as it means that they can begin to build out their domain blocking tables to reduce the likelihood of a Locky infection. However, reading through the entire post shows that even this latest piece of work is unlikely to prove a perfect defence. For example the new code relies on a “seed” which is used to generate the domains. As the blog points out: “..this can be changed at any time by the author or operator.”

Despite that, security teams will welcome the opportunity to put in place an initial defence against a range of domain addresses that are going to distribution the ransomware. This current list takes administrators through until the end of March although the publication of this list is almost certainly going to lead to a change in the seed used for generating domain names. It will be interesting to see just how long it will take before Forcepoint update their blog to list the next set of domains based on a new seed.

Russia excluded from ransomware

Embedded in the code is a switch that excludes computers either based in Russia or using Russian as their main language. This is not the first malware to do this and with the continued increase of malware as part of political attacks it won’t be the last.

As well as malware excluding certain languages and domains we have also had malware that has focused on some languages. French, Lithuanian, Ukrainian and Russian speakers have all been explicitly targeted over the last year with different strains of malware. This is a trend that is likely to continue for the foreseeable future as nation states and hacktivists continue to see malware as a way of getting their message across.


Malware writers are getting smarter and it is increasingly hard to keep up with them. The use of a DGA is not new but the speed with which the authors reacted to their initial domains being outed by Forcepoint is impressive. How long it will take them to make further changes such as altering the seed remains to be seen.

Irrespective of the underlying mechanics of the Locky ransomware it is increasingly clear that companies must start investing in cybersecurity training for staff. Without educating staff regularly on the latest phishing and other attacks, companies leave themselves open to attack. Expecting staff to keep up with the latest attacks is not a sustainable security posture.

Forcepoint exposes Locky domains was last modified: by

3 Comments - Write a Comment

  1. Pingback:

Post Comment