M2M - Locky Affid=3, ".asasin" 2017-11-02 : "Scan" - "Scan00123.doc"
M2M - Locky Affid=3, ".asasin" 2017-11-02 : "Scan" - "Scan00123.doc"
AI Analysis
Technical Summary
The threat described pertains to a variant of the Locky ransomware, identified as "M2M - Locky Affid=3, ".asasin" from November 2017. Locky ransomware is a well-known malware family that encrypts victims' files and demands ransom payments for decryption keys. This particular variant appears to be distributed via a malicious document named "Scan00123.doc," which likely serves as a delivery mechanism through social engineering or phishing campaigns. The document may contain macros or exploit vulnerabilities to execute the ransomware payload once opened by the user. Locky ransomware typically encrypts a wide range of file types, rendering them inaccessible, and appends unique file extensions to encrypted files—in this case, possibly ".asasin". The technical details provided are minimal, with no specific affected software versions or patches listed, and no known exploits in the wild at the time of reporting. The threat level is indicated as "3" on an unspecified scale, and the severity is marked as low by the source. Given the nature of Locky ransomware, the infection vector is user interaction (opening the malicious document), and no authentication is required for exploitation. The ransomware impacts confidentiality and availability by encrypting data, but the lack of widespread exploitation or active campaigns at the time suggests limited immediate risk. However, the presence of this variant highlights the ongoing risk of ransomware distributed via phishing and malicious documents.
Potential Impact
For European organizations, the impact of this Locky ransomware variant could include data encryption leading to operational disruption, potential data loss, and financial costs associated with ransom payments or recovery efforts. Sectors heavily reliant on document workflows, such as healthcare, legal, finance, and public administration, may be particularly vulnerable if users inadvertently open malicious documents. Although the reported severity is low and no active exploitation was noted, the potential for rapid spread through phishing campaigns remains a concern. Organizations with insufficient email filtering, lack of user awareness training, or inadequate endpoint protection could face increased risk. Additionally, encrypted data could affect business continuity and compliance with data protection regulations such as GDPR, especially if backups are not properly maintained or tested. The ransomware's impact on confidentiality is indirect but significant due to potential data exposure during incident response or ransom negotiations.
Mitigation Recommendations
To mitigate this threat effectively, European organizations should implement targeted measures beyond generic advice: 1) Deploy advanced email filtering solutions capable of detecting and quarantining malicious documents, especially those with macros or suspicious attachments like "Scan00123.doc". 2) Enforce strict macro policies in office applications, disabling macros by default and allowing only digitally signed macros from trusted sources. 3) Conduct regular, scenario-based user awareness training focused on recognizing phishing attempts and the risks of opening unsolicited attachments. 4) Maintain and regularly test offline and immutable backups to ensure rapid recovery without paying ransom. 5) Employ endpoint detection and response (EDR) tools with behavioral analysis to detect ransomware activity early. 6) Implement network segmentation to limit lateral movement if an infection occurs. 7) Monitor threat intelligence feeds for updates on Locky variants and adjust defenses accordingly. 8) Apply the principle of least privilege to reduce the impact of ransomware execution. These specific actions address the delivery method and operational impact of this Locky variant.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland
Indicators of Compromise
- hash: caf3575a95198ee925f2dfdeba2e78f3
- url: http://heart-sp.com/kjh765e46
- domain: heart-sp.com
- ip: 111.68.20.150
- url: http://jimhalltreeservice.com/kjh765e46
- domain: jimhalltreeservice.com
- ip: 74.200.89.171
- url: http://laslechuzas.cl/kjh765e46
- domain: laslechuzas.cl
- ip: 174.142.133.96
- url: http://l-up.net/kjh765e46
- domain: l-up.net
- ip: 89.104.72.196
- url: http://maeserdruck.com/kjh765e46
- domain: maeserdruck.com
- ip: 194.208.76.18
- url: http://nikom.be/kjh765e46
- domain: nikom.be
- url: http://olafpleuger.de/kjh765e46
- domain: olafpleuger.de
- ip: 87.230.95.138
- url: http://internet-webshops.de/O77enbdGF5
- domain: internet-webshops.de
- ip: 217.160.224.147
- url: http://ist-profy.ru/O77enbdGF5
- domain: ist-profy.ru
- ip: 90.156.144.159
- url: http://lvps212-67-205-60.vps.webfusion.co.uk/O77enbdGF5
- domain: lvps212-67-205-60.vps.webfusion.co.uk
- ip: 212.67.205.60
- url: http://matternomatter.com/O77enbdGF5
- domain: matternomatter.com
- ip: 149.3.135.72
- url: http://m.monteschiavo.com/O77enbdGF5
- domain: m.monteschiavo.com
- ip: 195.96.193.23
- url: http://minascriptandart.nl/O77enbdGF5
- domain: minascriptandart.nl
- ip: 85.17.104.175
- url: http://hilaryandsavio.com/O77enbdGF5
- domain: hilaryandsavio.com
- ip: 72.249.127.194
- url: http://verwadirephen.info/p66/O77enbdGF5
- domain: verwadirephen.info
- hash: 0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543
- hash: 2f267d5e2fb9d6ae818d5caa7f2fa508daf09d67
- link: https://www.virustotal.com/file/0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543/analysis/1509892391/
M2M - Locky Affid=3, ".asasin" 2017-11-02 : "Scan" - "Scan00123.doc"
Description
M2M - Locky Affid=3, ".asasin" 2017-11-02 : "Scan" - "Scan00123.doc"
AI-Powered Analysis
Technical Analysis
The threat described pertains to a variant of the Locky ransomware, identified as "M2M - Locky Affid=3, ".asasin" from November 2017. Locky ransomware is a well-known malware family that encrypts victims' files and demands ransom payments for decryption keys. This particular variant appears to be distributed via a malicious document named "Scan00123.doc," which likely serves as a delivery mechanism through social engineering or phishing campaigns. The document may contain macros or exploit vulnerabilities to execute the ransomware payload once opened by the user. Locky ransomware typically encrypts a wide range of file types, rendering them inaccessible, and appends unique file extensions to encrypted files—in this case, possibly ".asasin". The technical details provided are minimal, with no specific affected software versions or patches listed, and no known exploits in the wild at the time of reporting. The threat level is indicated as "3" on an unspecified scale, and the severity is marked as low by the source. Given the nature of Locky ransomware, the infection vector is user interaction (opening the malicious document), and no authentication is required for exploitation. The ransomware impacts confidentiality and availability by encrypting data, but the lack of widespread exploitation or active campaigns at the time suggests limited immediate risk. However, the presence of this variant highlights the ongoing risk of ransomware distributed via phishing and malicious documents.
Potential Impact
For European organizations, the impact of this Locky ransomware variant could include data encryption leading to operational disruption, potential data loss, and financial costs associated with ransom payments or recovery efforts. Sectors heavily reliant on document workflows, such as healthcare, legal, finance, and public administration, may be particularly vulnerable if users inadvertently open malicious documents. Although the reported severity is low and no active exploitation was noted, the potential for rapid spread through phishing campaigns remains a concern. Organizations with insufficient email filtering, lack of user awareness training, or inadequate endpoint protection could face increased risk. Additionally, encrypted data could affect business continuity and compliance with data protection regulations such as GDPR, especially if backups are not properly maintained or tested. The ransomware's impact on confidentiality is indirect but significant due to potential data exposure during incident response or ransom negotiations.
Mitigation Recommendations
To mitigate this threat effectively, European organizations should implement targeted measures beyond generic advice: 1) Deploy advanced email filtering solutions capable of detecting and quarantining malicious documents, especially those with macros or suspicious attachments like "Scan00123.doc". 2) Enforce strict macro policies in office applications, disabling macros by default and allowing only digitally signed macros from trusted sources. 3) Conduct regular, scenario-based user awareness training focused on recognizing phishing attempts and the risks of opening unsolicited attachments. 4) Maintain and regularly test offline and immutable backups to ensure rapid recovery without paying ransom. 5) Employ endpoint detection and response (EDR) tools with behavioral analysis to detect ransomware activity early. 6) Implement network segmentation to limit lateral movement if an infection occurs. 7) Monitor threat intelligence feeds for updates on Locky variants and adjust defenses accordingly. 8) Apply the principle of least privilege to reduce the impact of ransomware execution. These specific actions address the delivery method and operational impact of this Locky variant.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Threat Level
- 3
- Analysis
- 1
- Uuid
- 5a044f31-7dec-4bf7-b031-cc6f950d210f
- Original Timestamp
- 1510258864
Indicators of Compromise
Hash
Value | Description | Copy |
---|---|---|
hashcaf3575a95198ee925f2dfdeba2e78f3 | — | |
hash0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543 | - Xchecked via VT: caf3575a95198ee925f2dfdeba2e78f3 | |
hash2f267d5e2fb9d6ae818d5caa7f2fa508daf09d67 | - Xchecked via VT: caf3575a95198ee925f2dfdeba2e78f3 |
Url
Value | Description | Copy |
---|---|---|
urlhttp://heart-sp.com/kjh765e46 | — | |
urlhttp://jimhalltreeservice.com/kjh765e46 | — | |
urlhttp://laslechuzas.cl/kjh765e46 | — | |
urlhttp://l-up.net/kjh765e46 | — | |
urlhttp://maeserdruck.com/kjh765e46 | — | |
urlhttp://nikom.be/kjh765e46 | — | |
urlhttp://olafpleuger.de/kjh765e46 | — | |
urlhttp://internet-webshops.de/O77enbdGF5 | — | |
urlhttp://ist-profy.ru/O77enbdGF5 | — | |
urlhttp://lvps212-67-205-60.vps.webfusion.co.uk/O77enbdGF5 | — | |
urlhttp://matternomatter.com/O77enbdGF5 | — | |
urlhttp://m.monteschiavo.com/O77enbdGF5 | — | |
urlhttp://minascriptandart.nl/O77enbdGF5 | — | |
urlhttp://hilaryandsavio.com/O77enbdGF5 | — | |
urlhttp://verwadirephen.info/p66/O77enbdGF5 | — |
Domain
Value | Description | Copy |
---|---|---|
domainheart-sp.com | — | |
domainjimhalltreeservice.com | — | |
domainlaslechuzas.cl | — | |
domainl-up.net | — | |
domainmaeserdruck.com | — | |
domainnikom.be | — | |
domainolafpleuger.de | — | |
domaininternet-webshops.de | — | |
domainist-profy.ru | — | |
domainlvps212-67-205-60.vps.webfusion.co.uk | — | |
domainmatternomatter.com | — | |
domainm.monteschiavo.com | — | |
domainminascriptandart.nl | — | |
domainhilaryandsavio.com | — | |
domainverwadirephen.info | — |
Ip
Value | Description | Copy |
---|---|---|
ip111.68.20.150 | heart-sp.com | |
ip74.200.89.171 | jimhalltreeservice.com | |
ip174.142.133.96 | laslechuzas.cl | |
ip89.104.72.196 | l-up.net | |
ip194.208.76.18 | maeserdruck.com | |
ip87.230.95.138 | olafpleuger.de | |
ip217.160.224.147 | internet-webshops.de | |
ip90.156.144.159 | ist-profy.ru | |
ip212.67.205.60 | lvps212-67-205-60.vps.webfusion.co.uk | |
ip149.3.135.72 | matternomatter.com | |
ip195.96.193.23 | m.monteschiavo.com | |
ip85.17.104.175 | minascriptandart.nl | |
ip72.249.127.194 | hilaryandsavio.com |
Link
Value | Description | Copy |
---|---|---|
linkhttps://www.virustotal.com/file/0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543/analysis/1509892391/ | - Xchecked via VT: caf3575a95198ee925f2dfdeba2e78f3 |
Threat ID: 682b810a8ee1a77b717be297
Added to database: 5/19/2025, 7:05:46 PM
Last enriched: 6/18/2025, 7:33:17 PM
Last updated: 8/17/2025, 2:23:20 PM
Views: 11
Related Threats
ThreatFox IOCs for 2025-08-17
MediumThreatFox IOCs for 2025-08-16
MediumThreatFox IOCs for 2025-08-15
MediumBuilding a Free Library for Phishing & Security Awareness Training — Looking for Feedback!
LowThreatFox IOCs for 2025-08-14
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.