Home / Industry

Locky Ransomware: Still a Threat as List of IoCs Grows

Locky has been around since 2016, contributing to the total amount lost to ransomware worldwide, which has to this day reached US$20 billion in the U.S. alone. It usually gets delivered to users’ computers via emails with malicious attachments in the form of macro-laden Word documents. Users who get tricked into downloading the attachment and enabling macros on their systems are locked out of files and even their computers in the process. Some have no choice but to pay the ransom, hoping they’d get back access. In the end, though, not everyone ever regains what they lost.

IBM X-Force Exchange released a new list of Locky ransomware indicators of compromise (IoCs) in October, indicating the threat remains alive and kicking up to now. As part of our ongoing effort to keep users safe from as many potential threat vectors as possible, we sought to expand IBM’s list of 61 malicious IP addresses.

The key findings, which we’ll dive deeper into later on, include:

  • 84 domains that resolve to the 61 IP addresses IBM listed as Locky ransomware IoCs
  • 26 IP geolocation origin countries that may be worth monitoring for signs of malicious activity
  • 120 domains registered using three contact email addresses indicated in the WHOIS records of some connected domains
  • 77,823 subdomains containing strings found in the first-level domain names of the connected and additional domains

The complete list of suspicious and malicious web properties (i.e., IP addresses, domains, and subdomains) identified in this post is available for download on our website.

Initial Analysis and Findings

As mentioned above, we began our investigation with the 61 malicious IP addresses IBM identified. We subjected that list to a bulk IP/DNS lookup and obtained 84 connected domains. Examples include:

  • abiniti[.]com
  • panel6[.]richhost[.]biz
  • vpn486316629[.]softether[.]net
  • d-ip-129-15-240-105[.]navy-rotc[.]ou[.]edu
  • coral[.]dentolo[.]net
  • bob-owens[.]com
  • 0000news[.]co[.]cc
  • dataoffice[.]it
  • 0b30e4e967a9420b012ddd6787f5358f731d3720[.]unraid[.]net
  • ih1206009[.]vds[.]myihor[.]ru

A bulk IP geolocation lookup showed that the threat hosts appeared to be widely distributed worldwide, spanning 26 countries led by Russia and the U.S., which accounted for 10 IP addresses each.

Chart 1: Distribution of malicious IP addresses by country of origin

Watching out for suspicious IP hosts originating from the top countries identified in Chart 1 may be necessary to prevent Locky infection.

IoC List Expansion Details

A bulk WHOIS lookup of the connected domains showed that only three had unredacted contact email addresses. Using these as keywords for reverse WHOIS searches gave us an additional 120 domains. Examples include:

  • seychelles[.]net
  • cwseychelles[.]com
  • vdspanel[.]cz
  • next-lab[.]lv
  • ignum-server[.]cz
  • web-cloud[.]cz
  • nextfertility[.]lv
  • freedns[.]cz
  • emailzdarma[.]cz
  • linguafilm[.]cn

Two of these were particularly dangerous to access (seychelles[.]net and opengw[.]net), as revealed by a bulk malware check using the Threat Intelligence Platform (TIP), and should be blocked on networks.

To find more potential threat vectors that individuals and companies alike should avoid, we used Domains & Subdomains Discovery. We uncovered 77,823 subdomains that contained strings found in the first-level domain names (e.g., armaf, arpanet, bednar, etc.) of the connected and additional domains found earlier.

From the original list of 61 malicious IP addresses, a deep dive using various WHOIS, IP, and DNS intelligence sources gave us thousands of domains and subdomains that users should stay well away from to avoid Locky ransomware infection.

Interested in performing a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research partners.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC