Locky Ransomware : A Destructive Member of Ransomware Family

Ransomware is a form of malware which either locks a victim’s screen called locker ransomware or encrypts their files called crypto-ransomware. Successful ransomware infections allow cyber criminals to demand a sum of money (ransom) from the victim in exchange for restoring their access. The most common algorithms used by this ransomware for encryption are AES 256 bits and RSA 2048 bits.
Ransomware today is a complex, advanced threat, damaging customers in numerous areas around the world, especially people from enlarged and tech-focused economies.
Out of the various Ransomware, “Locky” is the most eminent destructive variant of the ransomware family. Locky doesn’t just affect victim’s C: drive but also scrambles any files in any directory on any mounted drive that it can access, including removable media that are plugged in at the time, or network shares that are accessible, including servers and desktops, whether they are running on Windows, Linux or Mac OS X.


Locky was discovered on the ransomware scene in early 2016. It immediately made a story when the criminals used it to infect the IT systems at the Hollywood Presbyterian Medical Centre. The computer systems of the Hospital were temporarily suspended and then the hospital agreed to pay the ransom demand of 40 Bitcoins which is approximately 17,000 USD. Locky requires victims to pay the sum using the Bitcoin currency, which helps to hide the Locky affiliate’s identities from law enforcement.
In the subsequent months, 4 new variants evolved by Dec 2016 -“.zepto,” “.odin,” “.s hit,” and “.thor.” Each new version primarily relied on phishing and spam mail for distribution. However, Locky also leveraged exploit kits and other means of distribution to make contact with users.

Modus Operandi of Locky

Locky propagates via phishing email campaigns that ploy users to either open malicious Microsoft Office documents and enabling macros or opening JavaScript attachments to download the ransomware. More recently, Locky executables have been delivered as Windows Script Files and Dynamic -Link Libraries (DLL). Once executed, Locky encrypts files and renames them with a .locky extension.
Locky can also infect the computer when the victim visits a hacked site that has an exploit kit on it. These exploit kits scan the computer for vulnerable programs and attempt to exploit them to install and start the ransomware without victim’s knowledge. If an infected user is connected to a network with administrator controls, the damage can be significantly widespread.
In addition to scanning local drives for files to encrypt, Locky also encrypts files on network shares (even unmapped ones) and deletes Shadow Volume Copies so that they can't be used in restoration attempts.

How Locky Gets Installed

  • The victim receives an email containing an attached document (Troj/DocDl-BCF).
  • The attachment/document name resembles a Jargon.
  • The document persuades the victim to enable macros if the text encoding is not correct.
  • When victim enables the macros, they don't actually correct the text encoding (that’s a subterfuge); instead, run code inside the document that saves a file to disk and runs it.
  • The saved file (Troj/Ransom-CGX) serves as a downloader, which fetches the final malware payload from the criminals.
  • The final payload could be anything, but here is usually the Locky Ransomware (Troj/Ransom-CGW).
Once Locky finishes encrypting the victim's files, it changes the victim’s desktop wallpaper to an image that acts like a ransom note. It also displays an HTML ransom note in the default browser. These ransom notes contain instructions on how to connect to the Locky Decryptor page where a victim can learn more about what happened to their files and how they can make a ransom payment.
The developers of Locky have created a payment site called the Locky Decryptor Page. This site can be used by victims to pay the ransom and download a decryptor. The Site will have information about the encrypted files and instructions to pay the ransom. Links to this site can be found in the ransom notes created on the Windows desktop and other locations on the computer.
Once a payment is made, the website will wait for a certain amount of bitcoin confirmations before the private key will be made available. Once there have been enough confirmations, the decryptor will be made available to the victim for download. The decryptor for one victim will NOT work on another victim's computer.

How Locky Infection Can Be Prevented

There is currently no way to decrypt the files that have been encrypted by Locky without paying the ransom. The best way to protect the organization from Locky is to prevent it from landing on computers in the first place.
The end user may follow these measures to avoid Ransomware infection:
  • Perform a regular backup of important data files and folders. Innumerable online resources such as Google Drive, Jio Drive, Dropbox can also be utilized for the backup.
  • Genuine OS, antivirus, browsers, Java, software, Adobe Flash Player etc. should be used. They should be updated with the latest patches to avoid vulnerability and other security product agents.
  • The user should not click on unfamiliar URL links that might redirect them towards malicious or spiteful sites.
  • The user should use pop-up blocker apps, which block malicious pop-up windows from running and executing malware in the background.
  • Make sure that user doesn’t have open admin privileges on the PC. Avoid logging in as an administrator and avoid browsing, opening documents or other regular activities while having administrator rights. This might lead to the installation of unknown applications without a prompt.
  • The user should not open emails from unknown suspicious senders especially emails which are not from a trusted source and are with attachments.
  • The user should not enable macros in document attachments received via email. Microsoft purposely turned off auto-execution of macros by default as a security measure. A lot of malware infections rely on convincing users to turn macros back on.
  • Installation of Microsoft Office viewers can be considered. These viewer applications let users see/preview what documents look like without opening them in Word or Excel itself. The viewer software doesn’t support macros so enabling of macro is not possible

Authored By - Monika Swain
TCS Enterprise Security and Risk Management

Rate this article: 
Average: 3.3 (12 votes)
Article category: