AhnLab Security Center


Look He(?) Took Us again: Lukitus Ransomware


A variant of Locky ransomware was discovered again. Locky’s transformation seems to be endless.


The latest Locky variant changes the file extension to lukitus. Lukitus means “lock” in Finnish. The ransomware is spreading via spammed emails. When the compressed .js file attached to the email is downloaded, the ransomware runs.


 [Figure 1] .js file attached as ransomware downloader


.js file invokes windows script host, such as wscript.exe, cscript.exe, etc. and shows error message, as shown in Figure 2, to hide the execution.


 [Figure 2] Error window shown to trick users


[Figure 3] wscript.exe file running


As shown in Figure 4, the .js file that operated the windows script host file connects to the specific URL and downloads the executable file of the Locky Ransomware in the designated path.


 [Figure 4] .js file downloading Locky from a specific URL


Downloaded new Locky shows the same ransom note as original Locky as shown in Figure 5. However, as shown in Figure 6, the encrypted files are changed to .lukitus.



[Figure 5] Ransom note



[Figure 6] Encrypted files after the infection


Locky ransomware is a known malware, but it is constantly changing, causing damage. The best way to avoid ransomware and variants is to prevent it beforehand.


V3, AhnLab’s anti-virus program, detects Lukitus.

<Aliases identified by AhnLab V3>

JS / Obfus

Trojan / Win32.Locky


In addition, AhnLab provides a proactive measure against malware that are distributed via spam emails, such as Locky and its variants. AhnLab's Advanced Persistent Threat (APT) protection solution, AhnLab MDS, counters such malware attacks by employing Mail Transfer Agent (MTA) mode. In this mode, AhnLab MDS detects, analyzes, and quarantines potentially malicious emails, thereby effectively spoiling phishing email attacks, and also email-based ransomware.


<Aliases identified by AhnLab MDS>

Exploit / SCRIPT.MalJavaScript

Malware / MDP.Ransomware