What is Locky ransomware, and how do you prevent it?

Locky ransomware affects mainly Windows devices. The attack starts with a phishing email that tricks you into downloading malware and follows through with a trojan that encrypts your files and demands a ransom payment in exchange for their decryption.

Like other forms of ransomware, hackers ask you to send them cryptocurrency. And if your files are valuable, like sensitive work documents, you may be tempted to pay up. Unfortunately, you’re dealing with cybercriminals. You may never get your files back, even if you send them money.

The Locky ransomware attack combines multiple hacking techniques – botnets, phishing, social engineering, and malicious code. The original Locky attacks consist of the following steps:

1. Phishing. The Necurs botnet distributes millions of spam emails with Microsoft Word document attachments. The emails specify that the attached document is an invoice or similar common file.
2. Social engineering. When the victim downloads and opens the document, they see gibberish and random characters. The text above the nonsense says to enable macros if the data encoding seems incorrect.
3. Malware download. Once the victim enables macros, a malicious script downloads and runs the executable file – a ransomware trojan.
4. File encryption. A ransomware trojan encrypts files that match predefined extensions using AES 128-bit key and RSA 2048-bit key encryption. It encrypts only data files like documents and photos, instead of executable app files. Encrypted files get a .locky extension.
5. Ransom demand. After encryption, the victim finds a plaintext message announcing that their files have been encrypted, and the same ransom note appears as the wallpaper of their computer. The message explains the steps to take to get the locked files back. The steps include using the Tor browser to visit hackers’ websites on the dark web for further details and paying a ransom in cryptocurrency in exchange for the encryption key. Hackers provide the victim with their attack ID to be used after paying for the decryption key.

Locky ransomware attacks started in February 2016. Cybersecurity researchers have since linked the Locky ransomware with the infamous Russian hacker group Evil Corp. The group was in charge of the Necurs botnet, which distributed Locky ransomware, some of its variants, and other malware, including the Dridex banking trojan. The group is also responsible for TrickBot attacks.

One of the first major Locky ransomware targets was a hospital in Los Angeles. The hospital agreed to pay the $17,000 ransom to resolve the hack. Attackers took the win and continued targeting other healthcare institutions.

The number one target for Locky ransomware was healthcare institutions. Hackers quickly figured out that data storage practices at hospitals were outdated. Many hospital operations were affected, with databases and electronic patient data records encrypted and employees locked out of systems – and they felt they had no choice but to pay the ransom.

Locky ransomware also targeted other industries, including telecommunications, transportation, manufacturing, and various service providers.

Locky ransomware was a massive success for hackers, bringing life to many Locky ransomware variants and copycats.

• PowerLocky. PowerLocky combined Locky and fileless PowerWare ransomware. It was written in PowerShell and used the same phishing email and encrypted file extensions as Locky. It was active in the summer of 2016, and now free programs are available to decrypt the files that PowerLocky has encrypted.
• Diablo. Diablo emerged in mid-2016 and used a different file extension, .diablo6, for encrypted files. Diablo spam emails had ZIP attachments, and ransomware introduced a few changes in the encryption method to add more sophisticated anti-analysis tricks and avoid detection.
• Zepto. Zepto ransomware made its debut in June 2016. It used most of the same techniques as Locky ransomware. Emails included the victim’s first name in the body and a ZIP attachment containing a JavaScript executable. Every encrypted file would get a .zepto extension.
• Odin. Odin followed Zepto with its first spam campaigns appearing in September 2016, mainly targeting users in the US. Encrypted files would get the .odin extension, but other than that, the ransomware followed the usual Locky behavior.
• Osiris. Osiris appeared in late 2016. It featured a new encryption algorithm and used the .osiris extension for encrypted files. Attackers used spam and malvertising to distribute the malicious code. They also implemented a more complex command and control communication protocol, making it more challenging to track and shut down the infrastructure supporting the ransomware. In addition to Windows, Osiris would infect Android and macOS devices.
• Thor. This version of Locky ransomware was identified in early 2017. It started with a massive spam campaign distributing ZIP attachments. Thor, like other Locky variants, used a different file extension (.thor) for encrypted files. It also incorporated code obfuscation techniques to make detection more difficult for cybersecurity researchers.
• Lukitus. Named after the Finnish word “Lukittu” (meaning locked), it emerged in the summer of 2017. Attackers used a different ransom note and distributed the ransomware through PDF attachments in spam emails. Encrypted files had the .lukitus extension.

Some other Locky ransomware campaigns followed the original Locky ransomware procedure, only using different extensions for the encrypted files, such as aesir, .asasin, .loptr, .shit, .ykcol, and .zzzzz extensions.

The best way to detect Locky ransomware is to learn how to spot phishing emails and social engineering techniques. The Locky spam emails had some clear giveaways – but they’re only apparent if you know what to look for.

• Sender. Emails came from random email addresses and domains.
• Language. Emails had questionable grammar and addressed the recipient as “Dear Sir/Madam.” Some emails didn’t have any text beyond the subject line and attachment.
• Email attachment. Infected attachments were usually disguised as invoices, receipts, or other sensitive documents that the recipient may have felt a sense of urgency about.

Once Locky ransomware infects the device, it doesn’t hide. You see your files being assigned different extensions, ransom notes appearing among your documents, and a message from hackers becoming your brand-new wallpaper.

Since the original Locky ransomware and most of its variants are now obsolete, most anti-malware solutions can remove Locky from your device.

But removing the ransomware doesn’t restore data and your files to normal. Some free programs can decrypt the files affected by Locky variants, but they don’t work for all Locky extensions. You can look decryptors up online, mentioning the file extension of the encrypted files. But make sure to download them from reputable sources, so you wouldn’t download yet another malware by accident.

Locky and other ransomware examples teach us how dangerous and expensive ransomware attacks can be. So it’s much wiser to be proactive and take preventive measures instead of dealing with the aftermath.

Here’s what you can do to prevent Locky, its variants, and other ransomware attacks:

• Get familiar with social engineering techniques. Learn to recognize and avoid phishing emails, fake websites, and potential social engineering tactics.
• Keep your operating system and software up to date. Regularly apply security patches and updates to your operating system, web browsers, antivirus software, and other applications. Ransomware often exploits vulnerabilities in outdated software to spread further.
• Never download or open attachments or links from emails you were not expecting. Only download attachments or click on links in emails if you are confident about their legitimacy.
• Enable spam filters. Spam filters on your email client can reduce the chances of receiving malicious emails and improve your email security overall.
• Disable macro scripts. Most Locky attacks use malicious macros to download the ransomware, so configure your Office suite to disable macros by default. Also, only enable macros in Word, Excel, or other document formats if you trust the source and have verified their legitimacy.
• Back up your data. Back up your important files and data to offline or cloud storage inaccessible from your computer. In case of a ransomware attack, having backups ensures you can recover data without paying the ransom.
• Enable file extensions. By default, file extensions may not be visible on your operating system. Enabling file extensions lets you see the full file name and recognize potentially malicious file types. It can help you identify malicious attachments and avoid opening them.
• Use a firewall. A properly configured firewall could help you monitor incoming and outgoing network traffic blocking unauthorized access attempts and preventing ransomware from communicating with its command and control servers.
• Get robust malware protection. Install reputable security software and let it scan files you want to download for real-time protection. Anti-malware, such as NordVPN’s Threat Protection, can detect and block ransomware in new downloads and other malicious threats before they infect your device.