{ "Event": { "analysis": "2", "date": "2016-04-08", "extends_uuid": "", "info": "OSINT - Locky: the encryptor taking the world by storm", "publish_timestamp": "1544622808", "published": true, "threat_level_id": "3", "timestamp": "1544622791", "uuid": "5707b73d-02e4-4c52-9eee-4872950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#2c4f00", "local": "0", "name": "malware_classification:malware-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ], "Attribute": [ { "category": "Artifacts dropped", "comment": "REG_SZ - Infection ID", "deleted": false, "disable_correlation": false, "timestamp": "1460123565", "to_ids": true, "type": "regkey", "uuid": "5707b7ad-8d28-4d43-adfc-e179950d210f", "value": "HKEY_CURRENT_USER\\Software\\Locky\\id" }, { "category": "Artifacts dropped", "comment": "REG_BINARY - Public RSA key in MSBLOB format", "deleted": false, "disable_correlation": false, "timestamp": "1460123565", "to_ids": true, "type": "regkey", "uuid": "5707b7ad-9a40-4c25-914d-e179950d210f", "value": "HKEY_CURRENT_USER\\Software\\Locky\\pubkey" }, { "category": "Artifacts dropped", "comment": "REG_BINARY - Text shown to the victim", "deleted": false, "disable_correlation": false, "timestamp": "1460123565", "to_ids": true, "type": "regkey", "uuid": "5707b7ad-45c4-4bf5-be1c-e179950d210f", "value": "HKEY_CURRENT_USER\\Software\\Locky\\paytext" }, { "category": "Artifacts dropped", "comment": "REG_DWORD - Status (whether encryption is completed)", "deleted": false, "disable_correlation": false, "timestamp": "1460123566", "to_ids": true, "type": "regkey", "uuid": "5707b7ae-a400-4f48-ae0c-e179950d210f", "value": "HKEY_CURRENT_USER\\Software\\Locky\\completed" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1544604346", "to_ids": false, "type": "link", "uuid": "5707b7de-cda0-4dc6-b284-e175950d210f", "value": "https://securelist.com/blog/research/74398/locky-the-encryptor-taking-the-world-by-storm/", "Tag": [ { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1544604346", "to_ids": false, "type": "comment", "uuid": "5707b838-e0c4-471d-91c8-f60b950d210f", "value": "In February 2016, the Internet was shaken by an epidemic caused by the new ransomware Trojan Locky (detected by Kaspersky Lab products as Trojan-Ransom.Win32.Locky). The Trojan has been actively propagating up to the present day. Kaspersky Lab products have reported attempts to infect users with the Trojan in 114 countries around the world.", "Tag": [ { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] } ] } }