The Wrath of Locky Ransomware!


Locky’ is a Ransomware that gained momentum in the year 2016. ‘Locky’ has been one of the most popular and alarming ransomware the world has ever seen and at one point became one of the most common forms of malware, in its own right. It has seen numerous improvements since it was first spotted in February, 2016. And now, this ransomware is back with two variants, namely ‘Diablo6’ and ‘.Lukitus’ extensions for encrypting files, both of which are rumored to be in circulation via spam emails,  and in the form of PDF attachments with embedded ‘.DOCM’ files.

As the part of the campaign which spread the Locky ransomware, it is said that over 27 million spam mails have been sent – observed by AppRiver researchers in a 24-hour period. Subjects like “please print”, “documents”, “photo”, “images”, “scans” and “pictures” were the containment mentioned and the subject texts may change in targeted spearphishing campaigns. After the file is opened, the VBS (Visual Basic Scripts) file downloads the ransomware and encrypts all the files on the affected system. In order to decrypt the files back, it demands a ransom amount in bitcoins;  the ransom could be anywhere from 0.5 to 1 bitcoin (one bitcoin varies in value between 500-1000 Euros via a bitcoin exchange).

How it works?

Just like the WannaCry ransomware, the scope and magnitude of this ransomware is massive. The ‘Hollywood Presbyterian Medical Justify’ in Los Angeles, California in February 2016, became infected with Locky ransomware. It locked the computer of the staff and all its electronic records, infecting systems throughout the facility. In order to acquire the decryption key to restore its data, the hospital paid a ransom of 40 Bitcoins. Allen Stefanek, president of the Hollywood Presbyterian Medical Center said, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.

Several ways have been developed by cyber criminals to infect computers with Locky virus and similar ransomware. They try to convince their victims with attached documents, which are often presented as important notifications from business partners, governmental authorities and similar sources. ‘Locky’ is disguised as a Word file, which presents itself as ‘Invoice’ and asks its victims to enable macros that activate the malware without their knowledge. It can also be hidden on illegal/untrustworthy websites, filled with adult and similar content. The document is gibberish, and prompts the user to enable macros to view the document and eventually launches Locky Ransomware. After it is launched, it loads into the memory of the user system with the encrypted data as hash.locky files, installs .bmp and .txt files which can encrypt network files that user has to access. Most ransomware use macros and attachments to spread their infection but Locky uses a different route which installs a Trojan or uses a previous exploit.

How do I protect myself?

There are a few ways to secure your data and cushion your damage in case of a ransomware attack.

  1. One trusted precaution is to back-up your data offline, in isolated systems and drives, or keep a Cloud backup.
  2. Keep your security software and OS (Operating System) up-to-date.
  3. Do not open any email you receive from an untrusted source/spam emails.
  4. Use an updated and industry best Antivirus software which has features like Anti-Ransomware Scans, etc.

 Tim Erlin, Vice President of Tripwire (a security and compliance company), said, “Adopting best practices and leveraging critical security controls continues to be the best bet for defending against advanced adversaries, and can help close the gap within a business’ security infrastructure.”