Locky has been around since 2016, contributing to the total amount lost to ransomware worldwide, which has to this day reached US$20 billion in the U.S. alone. It usually gets delivered to users’ computers via emails with malicious attachments in the form of macro-laden Word documents. Users who get tricked into downloading the attachment and enabling macros on their systems are locked out of files and even their computers in the process. Some have no choice but to pay the ransom, hoping they’d get back access. In the end, though, not everyone ever regains what they lost.

IBM X-Force Exchange released a new list of Locky ransomware indicators of compromise (IoCs) in October, indicating the threat remains alive and kicking up to now. As part of our ongoing effort to keep users safe from as many potential threat vectors as possible, we sought to expand IBM’s list of 61 malicious IP addresses.

The key findings, which we’ll dive deeper into later on, include:

• 84 domains that resolve to the 61 IP addresses IBM listed as Locky ransomware IoCs
• 26 IP geolocation origin countries that may be worth monitoring for signs of malicious activity
• 120 domains registered using three contact email addresses indicated in the WHOIS records of some connected domains
• 77,823 subdomains containing strings found in the first-level domain names of the connected and additional domains

The complete list of suspicious and malicious web properties (i.e., IP addresses, domains, and subdomains) identified in this post is available for download on our website.

Initial Analysis and Findings

As mentioned above, we began our investigation with the 61 malicious IP addresses IBM identified. We subjected that list to a bulk IP/DNS lookup and obtained 84 connected domains. Examples include:

• abiniti[.]com
• panel6[.]richhost[.]biz
• vpn486316629[.]softether[.]net
• d-ip-129-15-240-105[.]navy-rotc[.]ou[.]edu
• coral[.]dentolo[.]net
• bob-owens[.]com
• 0000news[.]co[.]cc
• dataoffice[.]it
• 0b30e4e967a9420b012ddd6787f5358f731d3720[.]unraid[.]net
• ih1206009[.]vds[.]myihor[.]ru

A bulk IP geolocation lookup showed that the threat hosts appeared to be widely distributed worldwide, spanning 26 countries led by Russia and the U.S., which accounted for 10 IP addresses each.

Watching out for suspicious IP hosts originating from the top countries identified in Chart 1 may be necessary to prevent Locky infection.

IoC List Expansion Details

A bulk WHOIS lookup of the connected domains showed that only three had unredacted contact email addresses. Using these as keywords for reverse WHOIS searches gave us an additional 120 domains. Examples include:

• seychelles[.]net
• cwseychelles[.]com
• vdspanel[.]cz
• next-lab[.]lv
• ignum-server[.]cz
• web-cloud[.]cz
• nextfertility[.]lv
• freedns[.]cz
• emailzdarma[.]cz
• linguafilm[.]cn

Two of these were particularly dangerous to access (seychelles[.]net and opengw[.]net), as revealed by a bulk malware check using the Threat Intelligence Platform (TIP), and should be blocked on networks.

To find more potential threat vectors that individuals and companies alike should avoid, we used Domains & Subdomains Discovery. We uncovered 77,823 subdomains that contained strings found in the first-level domain names (e.g., armaf, arpanet, bednar, etc.) of the connected and additional domains found earlier.

From the original list of 61 malicious IP addresses, a deep dive using various WHOIS, IP, and DNS intelligence sources gave us thousands of domains and subdomains that users should stay well away from to avoid Locky ransomware infection.

Interested in performing a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research partners.