Home What is Locky Ransomware?

What is Locky Ransomware?

The Locky ransomware commonly encrypts files on Windows OSes. Once encrypted, the files are inaccessible and unusable. Hackers demand a ransom.

Cyber security experts discovered Locky in 2016. At that time, it was the most significant malware threat in the wild. More than 50,000 threat attempts manifested within a single day. The Locky ransomware is currently said to be out of commission.

How does Locky ransomware spread?

Locky spreads through the use of social engineering techniques. The targets of the cyber criminals typically receive fraudulent emails. Such emails may be disguised as payment invoices. Past subject lines have included “Upcoming Payment—1 Month Notice”. The fear-based tactic prompts users to click.

​Locky emails arrive with attachments. Opening the attached document prompts the user to enable Word macros. The user is informed that this will help the content display correctly. In following through with this directive, the enabled macros activates a malicious script, which results in the download of the Lock ransomware.

​Immediately afterwards, files are locked. A key reason as to why Locky is considered dangerous has to do with the variety of files and code that it can damage. Files are renamed without permission. Source code can be scrambled.

How does an infection with Locky manifest?

Firms exposed to Locky ransomware typically observed a ransom note on an affected computer’s screen. Victims of Locky primarily conducted business in the US. As the Locky campaign took off, victims did also emerge from other geographic locales, but trailed far behind the US in terms of number of attacks.Locky Ransomware Chart by Country

Encrypted files included extension names such as .aesir, .asain, .diablo6, .locky, .zzzzz and others.

Some Locky-infected systems also contained:

  • _HELP_instructions.html
  • asasin-{random characters}.htm
  • DesktopOSIRIS.htm
  • diablo6-{random characters}.htm
  • HELP_Recover_Files_.html
  • ykcol-{random characters}.htm

How has Locky ransomware been distributed? 

Past Locky ransomware attack distribution has involved reliance on exploit kits and malspam. When it comes to malspam, the Necurs botnet was responsible for much distribution.

Locky encryption

​Locky encrypts entire networks. Networks that experience ransomware are commonly inoperable. Files may be inaccessible and in some cases, permanently lost.

​Organizations that have paid threat actors for file restoration may find themselves targets of future ransomware campaigns. Payments to the threat actors remain largely untraceable due to use of Bitcoin.

​Ransomed data may be used for nefarious purposes. Hackers may sell it on the black market or use it to commit fraudulent activities.

Locky downloader variants

Check Point Research observed over 10 different Locky downloader variants.

Threat detection technologies and Locky ransomware

Appropriate threat prevention technologies can block Locky-infected documents.

  • Sandboxing can identify Locky ransomware based on behavior.
  • Threat extraction technologies can block suspicious attachments.
  • Anti-virus technologies can help.
  • Anti-bot technologies can also be of assistance.

Threat prevention and Locky ransomware

  • Backing up files regularly is a cyber security best practice. Ensure that the stored files are not connected to your network.
  • Avoid unverified attachments. Encourage employees to ask your IT team for guidance if they receive an unsolicited email-based request asking them to open an attachment.
  • Ensure that software is up-to-date. Regularly patching your software can help ensure that attacks do not slip through.
  • Avoid Locky ransomware by requesting that employees disable macros by default. Employees should then only enable the macros when 100% confident that the document does not contain a threat.

For more on Locky ransomware, ransom malware, ransomware attacks 2020 or ransomware attacks in 2021, visit Cyber Talk.