Skip to main content

Operator dossier

locky (also tracked as Locky-Odin, Locky-Osiris, Locky-Osiris 2016, Locky-Osiris 2017) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 3 public victims claimed by this operator between March 18, 2016 and December 12, 2016. Locky is a ransomware family that emerged in March 2016 as a financially motivated threat, operating through a ransomware-as-a-service model that enabled multiple affiliates to deploy the malware against targets worldwide. The ransomware is believed to have originated from Russian-speaking cybercriminal groups and was distributed through the Necurs botnet and other established malware distribution networks. Locky primarily gained initial access through malicious email attachments, particularly macro-enabled Microsoft Office documents, and was notable for its use of sophisticated encryption algorithms including AES and RSA to lock victim files, with operators typically exfiltrating sensitive data before encryption to enable double extortion tactics. The ransomware gained significant notoriety for targeting critical infrastructure sectors including healthcare facilities, emergency services, and government organizations primarily in the United States, with some variants demanding ransoms equivalent to hundreds of thousands of dollars. While Locky experienced periods of high activity between 2016 and 2018, its operations have significantly diminished in recent years, with security researchers observing minimal new campaign activity since 2019, though the underlying infrastructure and techniques have influenced subsequent ransomware families.

Most-targeted sectors

Most-affected countries

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

locky

aka Locky-Odin, Locky-Osiris, Locky-Osiris 2016, Locky-Osiris 2017 · 3 victims indexed · first seen 10 years ago · last activity 10 years ago

3
Victims indexed
#280 of 364 tracked operators
9m
Active period
Mar 2016 → Dec 2016
1
Countries hit
top US · 3

At a glance

Status
inactive
Aliases
Locky-Odin, Locky-Osiris, Locky-Osiris 2016, Locky-Osiris 2017
First seen
10 years ago
Last activity
10 years ago
Primary sector
Emergency Services · 1 hits

About

Locky is a ransomware family that emerged in March 2016 as a financially motivated threat, operating through a ransomware-as-a-service model that enabled multiple affiliates to deploy the malware against targets worldwide. The ransomware is believed to have originated from Russian-speaking cybercriminal groups and was distributed through the Necurs botnet and other established malware distribution networks. Locky primarily gained initial access through malicious email attachments, particularly macro-enabled Microsoft Office documents, and was notable for its use of sophisticated encryption algorithms including AES and RSA to lock victim files, with operators typically exfiltrating sensitive data before encryption to enable double extortion tactics. The ransomware gained significant notoriety for targeting critical infrastructure sectors including healthcare facilities, emergency services, and government organizations primarily in the United States, with some variants demanding ransoms equivalent to hundreds of thousands of dollars. While Locky experienced periods of high activity between 2016 and 2018, its operations have significantly diminished in recent years, with security researchers observing minimal new campaign activity since 2019, though the underlying infrastructure and techniques have influenced subsequent ransomware families.

References

6 links

External sources curated by the MISP threat-intel community.

Timeline

3 months
2016-03-01T00:00:00+00:00 · 12016-05-01T00:00:00+00:00 · 12016-12-01T00:00:00+00:00 · 1
2016-03-01T00:00:00+00:002016-12-01T00:00:00+00:00

Top countries

🇺🇸 United States
3

Top sectors

Emergency Services
1
Healthcare and Public Health
1
Government Facilities
1

MITRE ATT&CK

4 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

Recent victims

Loading…

Source

Updated 10 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time locky posts a victim.

Add locky to your watchlist — Pro pings you within 5 minutes of any new locky leak-site post, Telegram callout, or affiliate-rebrand inference.