{"Event": {"info": "OSINT - Locky Ransomware switches to the Lukitus extension for Encrypted Files", "Tag": [{"colour": "#004646", "exportable": true, "name": "type:OSINT"}, {"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#2c4f00", "exportable": true, "name": "malware_classification:malware-category=\"Ransomware\""}, {"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:ransomware=\"Locky\""}], "publish_timestamp": "0", "timestamp": "1507106134", "analysis": "2", "Attribute": [{"comment": "- Xchecked via VT: 29fc7875aac4e84fc6b5f76c9bb51eba9bb19eb4398cba5505050809b0f88035", "category": "External analysis", "uuid": "59d49d4f-52c8-4e09-bd43-403202de0b81", "timestamp": "1507106127", "to_ids": false, "value": "https://www.virustotal.com/file/29fc7875aac4e84fc6b5f76c9bb51eba9bb19eb4398cba5505050809b0f88035/analysis/1506937290/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "- Xchecked via VT: 29fc7875aac4e84fc6b5f76c9bb51eba9bb19eb4398cba5505050809b0f88035", "category": "Payload delivery", "uuid": "59d49d4f-4f50-4514-a127-4f5f02de0b81", "timestamp": "1507106127", "to_ids": true, "value": "4baa57a08c90b78d16c634c22385a748", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "- Xchecked via VT: 29fc7875aac4e84fc6b5f76c9bb51eba9bb19eb4398cba5505050809b0f88035", "category": "Payload delivery", "uuid": "59d49d4f-6b7c-4c33-ba06-4ca402de0b81", "timestamp": "1507106127", "to_ids": true, "value": "365da6a9e46ef2746b01cb9189f44ff4c330bd0a", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "59d49275-d7a4-4ea5-8c42-4b36950d210f", "timestamp": "1507106127", "to_ids": true, "value": "29fc7875aac4e84fc6b5f76c9bb51eba9bb19eb4398cba5505050809b0f88035", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "Ransomnote", "category": "Payload delivery", "uuid": "59d49275-93ec-4c5b-8354-447c950d210f", "timestamp": "1507106127", "to_ids": true, "value": "lukitus.bmp", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "Ransomnote", "category": "Payload delivery", "uuid": "59d49275-4930-42bf-b458-42ef950d210f", "timestamp": "1507106127", "to_ids": true, "value": "lukitus.htm", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "External analysis", "uuid": "59d48ba1-8cf0-4f6a-94e8-4771950d210f", "timestamp": "1507106127", "to_ids": false, "value": "Today a new Locky Ransomware variant was discovered by Rommel Joven that switches to the .lukitus extension for encrypted files. It is important to note that if you are infected with this ransomware, you are not infected with the Lukitus Ransomware, as some sites may call it. You are instead infected by Locky, which is using the .lukitus extension. There is a difference.", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "disable_correlation": false, "object_relation": null, "type": "comment"}, {"comment": "", "category": "External analysis", "uuid": "59d48b5b-42a4-4f3e-b70d-4429950d210f", "timestamp": "1507106127", "to_ids": false, "value": "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "disable_correlation": false, "object_relation": null, "type": "link"}], "extends_uuid": "", "published": false, "date": "2017-08-16", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "3", "uuid": "59d48b3a-e3b4-4eb4-b675-464a950d210f"}}