Packed Locky (SHA-1: b4dc5f5d47b87baa0be87afda5ccee1f00497984)
Unpacked Locky first-layer (SHA-1: 5ed85179386ae994b5ed8ef3a60a2ec5134bd68a)
Locky ransomware appears to have altered its payload encryption and heavily leverages dynamic API loading when invoking calls as well as gzipped encoding traffic.
C2 (POST /checkupdate):
POST requests (now gzip-encoded):