Skip to main content

M2M - Locky 2017-11-03 : Affid=3, offline, ".asasin" : "Scanned image from MX-2600N" - "20171103_123456.doc"

Low
Published: Thu Nov 09 2017 (11/09/2017, 00:00:00 UTC)
Source: CIRCL
Vendor/Project: tlp
Product: white

Description

M2M - Locky 2017-11-03 : Affid=3, offline, ".asasin" : "Scanned image from MX-2600N" - "20171103_123456.doc"

AI-Powered Analysis

AILast updated: 06/18/2025, 19:34:52 UTC

Technical Analysis

The threat described pertains to a variant of the Locky ransomware identified around November 3, 2017, with the specific instance referenced as "M2M - Locky 2017-11-03". Locky ransomware is a well-known malware family that encrypts victims' files and demands ransom payments in cryptocurrency for decryption keys. This particular variant appears to be distributed via a malicious document named in the format "20171103_123456.doc", which is purportedly linked to scanned images from a Sharp MX-2600N multifunction printer (MFP). The mention of ".asasin" and "Scanned image from MX-2600N" suggests that the malware may be masquerading as or delivered through scanned documents, potentially exploiting trust in scanned files or automated workflows involving MFPs. The technical details indicate a low severity threat level with no known exploits in the wild at the time of publication, and no specific affected product versions are listed. The absence of patch links and CWE identifiers suggests this is not a vulnerability in software but rather a malware campaign leveraging social engineering and file delivery mechanisms. Locky ransomware typically encrypts user files, impacting confidentiality and availability by denying access to critical data. The delivery via scanned document filenames implies targeting of office environments where scanned documents are commonly handled, potentially affecting enterprise networks that integrate MFPs into their document workflows. The threat level '3' and analysis score '1' indicate a relatively low immediate risk, possibly due to limited distribution or effective mitigations already in place at the time. However, Locky ransomware variants have historically caused significant disruption when successful, emphasizing the need for vigilance.

Potential Impact

For European organizations, the impact of this Locky ransomware variant could manifest primarily as disruption to business operations due to encrypted files, leading to potential data loss and downtime. Organizations relying heavily on multifunction printers and automated document workflows may be at increased risk if scanned documents are used as vectors for infection. The confidentiality of sensitive documents could be compromised if backups are insufficient or if the ransomware spreads laterally within networks. While the severity is rated low for this specific variant, the general Locky ransomware family has caused substantial financial and operational damage globally. European enterprises in sectors such as finance, healthcare, and public administration, which handle large volumes of scanned documents and have critical data dependencies, could face operational interruptions and reputational harm. Additionally, the offline nature of the threat suggests that infection may occur through internal vectors rather than remote exploits, emphasizing the importance of internal security controls. The lack of known exploits in the wild at the time reduces immediate risk but does not eliminate the potential for future variants or related campaigns targeting European organizations.

Mitigation Recommendations

To mitigate this threat effectively, European organizations should implement targeted controls beyond generic advice: 1) Harden multifunction printer (MFP) security by ensuring firmware is up to date, disabling unnecessary services, and restricting access to scanning and file-sharing features to authorized users only. 2) Implement strict email and document scanning policies to detect and quarantine suspicious files, especially those mimicking scanned documents or containing macros. 3) Enforce network segmentation to isolate MFPs and scanning devices from critical IT infrastructure to prevent lateral movement of malware. 4) Deploy endpoint detection and response (EDR) solutions capable of identifying ransomware behaviors, including unusual file encryption activities. 5) Conduct regular user training focused on recognizing phishing attempts and suspicious document handling, emphasizing the risks of opening unexpected scanned documents. 6) Maintain robust, tested offline backups of critical data to enable recovery without paying ransom. 7) Monitor network traffic for anomalies related to ransomware communication patterns, even if no known exploits are currently active. These measures, tailored to the specific delivery vector and operational context of the threat, will reduce the likelihood and impact of infection.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
3
Analysis
1
Uuid
5a044feb-cda0-4844-b5f0-2214950d210f
Original Timestamp
1510261077

Indicators of Compromise

Hash

ValueDescriptionCopy
hash1f608125c16f3396000f6ec9d929d6c9
hash73e8748f6a3a584a41ebc691083f060ff6fd030729415e5f12a6e8b0294990d0
- Xchecked via VT: 1f608125c16f3396000f6ec9d929d6c9
hash1fd9f901ab7f51a542e455b51e6442040d3fa39c
- Xchecked via VT: 1f608125c16f3396000f6ec9d929d6c9

Url

ValueDescriptionCopy
urlhttp://336.linux1.testsider.dk/lbMld6sGda
urlhttp://betadesign.es/lbMld6sGda
urlhttp://comercialarques.es/lbMld6sGda
urlhttp://deltaled.es/lbMld6sGda
urlhttp://testbxc.u-host.ru/lbMld6sGda
urlhttp://unbescheiden.net/lbMld6sGda
urlhttp://watchez.biz/lbMld6sGda
urlhttp://pabxconsultants.co.za/dhYtebv3
urlhttp://san-syo.co.jp/dhYtebv3
urlhttp://saranville.com/dhYtebv3
urlhttp://pwmsteel.com/dhYtebv3
urlhttp://visualindesign.be/dhYtebv3
urlhttp://twonkygames.com/dhYtebv3
urlhttp://evengrollighromsof.net/p66/dhYtebv3

Domain

ValueDescriptionCopy
domain336.linux1.testsider.dk
domainbetadesign.es
domaincomercialarques.es
domaindeltaled.es
domaintestbxc.u-host.ru
domainunbescheiden.net
domainwatchez.biz
domainpabxconsultants.co.za
domainsan-syo.co.jp
domainsaranville.com
domainpwmsteel.com
domainvisualindesign.be
domaintwonkygames.com
domainevengrollighromsof.net

Ip

ValueDescriptionCopy
ip77.243.131.16
336.linux1.testsider.dk
ip31.47.74.202
comercialarques.es
ip212.220.124.233
testbxc.u-host.ru
ip212.223.152.138
unbescheiden.net
ip41.72.154.151
pabxconsultants.co.za
ip219.94.169.237
san-syo.co.jp
ip27.254.148.14
saranville.com
ip50.21.229.37
pwmsteel.com
ip5.135.178.149
visualindesign.be
ip85.25.242.138
twonkygames.com

Link

ValueDescriptionCopy
linkhttps://www.virustotal.com/file/73e8748f6a3a584a41ebc691083f060ff6fd030729415e5f12a6e8b0294990d0/analysis/1510056897/
- Xchecked via VT: 1f608125c16f3396000f6ec9d929d6c9

Threat ID: 682b810a8ee1a77b717be207

Added to database: 5/19/2025, 7:05:46 PM

Last enriched: 6/18/2025, 7:34:52 PM

Last updated: 8/17/2025, 1:54:07 AM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats