Skip to main content

M2M - Locky Affid=3, ".asasin" 2017-11-02 : "Scan" - "Scan00123.doc"

Low
Published: Thu Nov 09 2017 (11/09/2017, 00:00:00 UTC)
Source: CIRCL
Vendor/Project: tlp
Product: white

Description

M2M - Locky Affid=3, ".asasin" 2017-11-02 : "Scan" - "Scan00123.doc"

AI-Powered Analysis

AILast updated: 06/18/2025, 19:33:17 UTC

Technical Analysis

The threat described pertains to a variant of the Locky ransomware, identified as "M2M - Locky Affid=3, ".asasin" from November 2017. Locky ransomware is a well-known malware family that encrypts victims' files and demands ransom payments for decryption keys. This particular variant appears to be distributed via a malicious document named "Scan00123.doc," which likely serves as a delivery mechanism through social engineering or phishing campaigns. The document may contain macros or exploit vulnerabilities to execute the ransomware payload once opened by the user. Locky ransomware typically encrypts a wide range of file types, rendering them inaccessible, and appends unique file extensions to encrypted files—in this case, possibly ".asasin". The technical details provided are minimal, with no specific affected software versions or patches listed, and no known exploits in the wild at the time of reporting. The threat level is indicated as "3" on an unspecified scale, and the severity is marked as low by the source. Given the nature of Locky ransomware, the infection vector is user interaction (opening the malicious document), and no authentication is required for exploitation. The ransomware impacts confidentiality and availability by encrypting data, but the lack of widespread exploitation or active campaigns at the time suggests limited immediate risk. However, the presence of this variant highlights the ongoing risk of ransomware distributed via phishing and malicious documents.

Potential Impact

For European organizations, the impact of this Locky ransomware variant could include data encryption leading to operational disruption, potential data loss, and financial costs associated with ransom payments or recovery efforts. Sectors heavily reliant on document workflows, such as healthcare, legal, finance, and public administration, may be particularly vulnerable if users inadvertently open malicious documents. Although the reported severity is low and no active exploitation was noted, the potential for rapid spread through phishing campaigns remains a concern. Organizations with insufficient email filtering, lack of user awareness training, or inadequate endpoint protection could face increased risk. Additionally, encrypted data could affect business continuity and compliance with data protection regulations such as GDPR, especially if backups are not properly maintained or tested. The ransomware's impact on confidentiality is indirect but significant due to potential data exposure during incident response or ransom negotiations.

Mitigation Recommendations

To mitigate this threat effectively, European organizations should implement targeted measures beyond generic advice: 1) Deploy advanced email filtering solutions capable of detecting and quarantining malicious documents, especially those with macros or suspicious attachments like "Scan00123.doc". 2) Enforce strict macro policies in office applications, disabling macros by default and allowing only digitally signed macros from trusted sources. 3) Conduct regular, scenario-based user awareness training focused on recognizing phishing attempts and the risks of opening unsolicited attachments. 4) Maintain and regularly test offline and immutable backups to ensure rapid recovery without paying ransom. 5) Employ endpoint detection and response (EDR) tools with behavioral analysis to detect ransomware activity early. 6) Implement network segmentation to limit lateral movement if an infection occurs. 7) Monitor threat intelligence feeds for updates on Locky variants and adjust defenses accordingly. 8) Apply the principle of least privilege to reduce the impact of ransomware execution. These specific actions address the delivery method and operational impact of this Locky variant.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
3
Analysis
1
Uuid
5a044f31-7dec-4bf7-b031-cc6f950d210f
Original Timestamp
1510258864

Indicators of Compromise

Hash

ValueDescriptionCopy
hashcaf3575a95198ee925f2dfdeba2e78f3
hash0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543
- Xchecked via VT: caf3575a95198ee925f2dfdeba2e78f3
hash2f267d5e2fb9d6ae818d5caa7f2fa508daf09d67
- Xchecked via VT: caf3575a95198ee925f2dfdeba2e78f3

Url

ValueDescriptionCopy
urlhttp://heart-sp.com/kjh765e46
urlhttp://jimhalltreeservice.com/kjh765e46
urlhttp://laslechuzas.cl/kjh765e46
urlhttp://l-up.net/kjh765e46
urlhttp://maeserdruck.com/kjh765e46
urlhttp://nikom.be/kjh765e46
urlhttp://olafpleuger.de/kjh765e46
urlhttp://internet-webshops.de/O77enbdGF5
urlhttp://ist-profy.ru/O77enbdGF5
urlhttp://lvps212-67-205-60.vps.webfusion.co.uk/O77enbdGF5
urlhttp://matternomatter.com/O77enbdGF5
urlhttp://m.monteschiavo.com/O77enbdGF5
urlhttp://minascriptandart.nl/O77enbdGF5
urlhttp://hilaryandsavio.com/O77enbdGF5
urlhttp://verwadirephen.info/p66/O77enbdGF5

Domain

ValueDescriptionCopy
domainheart-sp.com
domainjimhalltreeservice.com
domainlaslechuzas.cl
domainl-up.net
domainmaeserdruck.com
domainnikom.be
domainolafpleuger.de
domaininternet-webshops.de
domainist-profy.ru
domainlvps212-67-205-60.vps.webfusion.co.uk
domainmatternomatter.com
domainm.monteschiavo.com
domainminascriptandart.nl
domainhilaryandsavio.com
domainverwadirephen.info

Ip

ValueDescriptionCopy
ip111.68.20.150
heart-sp.com
ip74.200.89.171
jimhalltreeservice.com
ip174.142.133.96
laslechuzas.cl
ip89.104.72.196
l-up.net
ip194.208.76.18
maeserdruck.com
ip87.230.95.138
olafpleuger.de
ip217.160.224.147
internet-webshops.de
ip90.156.144.159
ist-profy.ru
ip212.67.205.60
lvps212-67-205-60.vps.webfusion.co.uk
ip149.3.135.72
matternomatter.com
ip195.96.193.23
m.monteschiavo.com
ip85.17.104.175
minascriptandart.nl
ip72.249.127.194
hilaryandsavio.com

Link

ValueDescriptionCopy
linkhttps://www.virustotal.com/file/0f9ca5c555ddf4b5b29573ea1a513a69555afcfd0b1d3fa8f441bc6991bce543/analysis/1509892391/
- Xchecked via VT: caf3575a95198ee925f2dfdeba2e78f3

Threat ID: 682b810a8ee1a77b717be297

Added to database: 5/19/2025, 7:05:46 PM

Last enriched: 6/18/2025, 7:33:17 PM

Last updated: 8/17/2025, 2:23:20 PM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats