Locky Strikes Again in a New Variant!!

The year 2017 has so far been a rather challenging year for cybersecurity experts around the world. According to a Kaspersky report, Ransomware attacks top the chart of malware threats with an increase of over 250 percent during the first few months of 2017. The number of mobile Ransomware detected had reached 218,625 compared with 61,832 in the second quarter of the previous year. Global Ransomware damages are predicted to exceed $5 billion this year. Every year more and more variants of Ransomware are being generated. There were 4.3x new Ransomware variants in Q1 2017 than in Q1 2016
The new name in the league of WannaCry and Petya is Locky Ransomware. In November, the Indian Government issued an alert on the spread of a new variant of Locky Ransomware. It has similar capabilities to that of its original version. This new Ransomware campaign is very aggressive in its approach. As per security experts, close to 20 million attacks were launched by hackers in just one day. Experts have found close to 6000 fingerprints that suggest the attacks are being generated automatically. Usually, Locky is spread through spam emails and Necrus botnet. Necrus distributes many pieces of other malware as well.

Originally Locky was released in February 2016. After taking over a device, Ransomware demands money to not compromise with the victim’s data. Locky encrypts windows files and changes the extension of encrypted files to .ykcol. It also has two more new variants with extension .diablo6 and .lukitus. These variants have many similarities with the original Locky. The codes for latest variants are same as older ones. The new variants send some callbacks to older variants.

Locky does not just affect the C drive. It can encrypt files on all the drives. It usually functions the following way:

  1. When the victim executed the attachment in the email, a connection is established with the server of Locky. The Ransomware gets installed
  2. After installation, it checks if the victim’s computer is running on the Russian language. If the language is found to be Russian, the Ransomware does not perform any of the next steps. It can be attributed to the fact that most of these attacks are being generated from Russia only.
  3. Scan the drives to isolate the target files. It also targets the systems attached to the shared network to identify potential targets.
  4. Encrypt the identified files with AES algorithm. Apparently, Locky gets its name from the characteristic of preventing the user to access files.
  5. User or Windows is unable to open the infected files. It may result in temporary or permanent downtime for system
  6. Change the desktop wallpaper. The changed wallpaper resembles a typical ransom note. The use of manipulative social engineering can set panic to the user.
  7. Change the home page of the default browser to a ransom note. This ransom note has links that the user must follow to get the infected files decrypted. In return, the user will have to pay around 0.5 Bitcoin. This bitcoin has an equivalent value of over Rs. 1.5 lakh.
  8. There is a personal ID associated with the infected device. This ID is used to decrypt the files after a ransom is paid. However, the decryption of files takes a lot of time.

The following HTML page is set to default browser:

Post-infection, the most advisable step is to shut down your system. Users should always keep their Windows updated to mitigate the risks of malware attacks.

Usually Locky gains access to your computer by malicious word document or JavaScript files. The hackers are using PDF files as well to execute Locky. In PDF files, Locky asks permission to open another file which is a malicious word document having VBA macros.

Enabling macros in documents received over email is something that should never be followed to avoid attacks. These files are circulated over emails with subjects similar to that of general invoices or terms like “please print”, “documents”, “photo”, “images” “scans” and “pictures”.

The organizations can start with educating their security experts about the latest attacks. A few other tactics include:

  • To defend against these attacks focus on email security. Implement full protection stack including Symantec Email Security which can block email threats and educate users to handle suspicious emails carefully.
  • Locky gains access by executing macros. Macros can be disabled by enforcing group policy. Unless a macro is executed, Locky cannot be installed. Installation of MS office viewer software can also be helpful as it does not support macros. The user can take a look at the document without actually opening it without Word or Excel.
  • To protect against any malware periodic backups and installation of patches is a must. Malware exploits bugs in software to get installed. Patches keep providing fixes to these bugs and hence reduce the chance of attacks
  • Computers in a network which can access common file servers should be limited in numbers.


Authored By - Parul Mehrotra
TCS Cyber Security Practice

Rate this article: 
Average: 4.5 (2 votes)
Article category: