In This Article

What is Locky Ransomware?

Iain Roberts
| Read Time 7 min read| Updated On - April 19, 2023

Locky Ransomware

Locky ransomware arrived on the scene in 2016, and, as with most ransomware strains, arrives in the form of an email attachment. This particular strain is disguised as an invoice, requesting a payment.

What is Locky Ransomware?

Locky Ransomware is malware that encrypts important files on your computer, rendering them inaccessible and unusable. The attackers demand a ransom payment and promise to give users a Locky ransomware decryption key that only they possess, in return for the payment. This forces victims to pay the ransom.

Locky attacks victims by encrypting their files — rendering them both inaccessible and unusable — and then requiring a payment in exchange for restoring things to normal. The cyber criminals promise to give users a Locky ransomware decryption key that only they possess, thus compelling victims to pay the ransom.

How does Locky Ransomware Work?

The Locky ransomware is usually spread through email attachments, disguised as harmless documents, such as invoices or resumes. When the victim clicks on the attachment, the ransomware is installed on the computer and begins to encrypt the files.

The attachment is a Microsoft Word document, which contains malicious macros. When the victim opens the document to see what the invoice is about, they are presented with gibberish text, along with a heading that says “Enable macro if data encoding is incorrect”.

If the victim decides to enable the macro in MS Word, another script is downloaded which begins encrypting files with particular extensions. The script will convert filenames to a unique 16-letter and number combination, and the file extensions will be changed to something along the lines of .locky, .zepto, .odin, .aesir, .thor, .zzzzz, .osiris and .shit.

In addition to encrypting the victim’s files, the script will also download exploit kits from the attacker’s Command & Control (C&C) server in order to identify and exploit vulnerabilities on their machine. Exploiting vulnerabilities can help the attack spread to other systems. The script will also attempt to delete existing shadow copies of the victims’ data.

Once the files have been encrypted, the victim will be asked to download the Tor browser and visit the attacker’s website for further instructions. As it stands, the ransom payment is between 0.5 and 1 bitcoin, which, as of June 2022, is approximately 32,000 USD. At this stage, a timer will begin, and if the victim refuses to pay the ransom within the specified time frame, the decryption key will be automatically destroyed, or at least that’s what is claimed.

Examples of Locky Ransomware Attacks

There are not many publicized examples of Locky ransomware attacks. However, there were reports of a large number of Locky ransomware attacks being launched against healthcare service providers in the United States.

In one scenario, a hospital in Los Angeles was forced to pay a ransom of $17,000, after falling victim to a sustained attack. The Locky ransomware payload arrived in the form of an MS Office Open XML file, with the extension.DOCM.

Healthcare providers in Japan, Korea, and Thailand were also hit, and there were also reports of Locky ransomware attacks on telecom, transportation, and manufacturing industries, although there is little-to-no documentation about how the victims were affected, and whether they chose to pay the ransom.

How to Protect Against Locky Ransomware Attacks

The methods used to protect against Locky ransomware are much the same as they would be for any other strain of ransomware, although there are some unique characteristics that we can look out for. Below are some simple tips to help you prevent, detect and respond to Locky ransomware attacks:

Security awareness training

Security awareness training is an important step in protecting against Locky ransomware and other types of cyber attacks. Locky ransomware is typically delivered through phishing emails or malicious attachments, which can trick users into downloading and installing the malware.

By providing security awareness training to employees, businesses can educate them on how to recognize and avoid these types of attacks. Training can include topics such as how to identify phishing emails, how to verify the authenticity of email senders and attachments, and how to report suspicious activity to IT security staff.

Security awareness training can also help employees understand the importance of maintaining strong passwords and avoiding risky online behavior, such as using unsecured Wi-Fi networks or downloading unauthorized software.

By educating employees on how to recognize and avoid these types of attacks, businesses can significantly reduce the risk of a Locky ransomware infection. This is because employees are often the first line of defense against cyber-attacks, and their actions can have a significant impact on the overall security of the organization.

Ensure that all software is patched

Ensuring that software is patched and up-to-date is an important step in protecting against Locky ransomware and other types of cyber attacks. Locky ransomware often exploits vulnerabilities in software to gain access to systems and infect them with malware.

Software vendors frequently release updates and patches to fix these vulnerabilities and improve the security of their products. By regularly installing these updates and patches, businesses can ensure that their software is protected against the latest threats.

Take regular backups

This may seem obvious, but it is crucially important that you take regular backups of your data, and store them in a secure location – preferably either off-line or off-network.

Monitor network traffic

If the Locky script is sending information between the victim’s device and the C&C server, you should use a sophisticated intrusion prevention solution to help you detect, block and report on suspicious inbound and outbound network traffic. You will also need to watch out for the installation of unauthorized software.

Monitor user activity

In addition to encrypting data and installing exploit kits, most ransomware attacks create events that can be monitored in order to help detect and block anomalous data-centric activities. For example, the script may try to create new privileged accounts, or access privileged accounts in an atypical manner. These days, there are a number of data-centric auditing solutions that can detect and respond to events that match a pre-defined threshold condition, and then execute a custom script in response. For example, to identify Locky attacks you could create a script that will fire an alert when x number of files and file extensions are renamed within a given time frame, and then respond by disabling user accounts, revoking permissions, changing the firewall settings, shutting down the affected servers, and/or anything else that might help to stop the attack from spreading.

How Lepide Helps Protect Against Locky Ransomware

The Lepide Data Security Platform can help to detect and prevent the spread of ransomware by providing visibility over what’s happening with your data. The Lepide Solution uses threshold alerting, combined with script execution, to detect the symptoms of an attack. A warning sign of a potential attack could be, for example, a large number of files being renamed in a short period of time. Once the threshold is met, Lepide can execute a custom script to shut down a user, computer, or server to prevent the spread of ransomware.

Reducing the risk of a ransomware attack occurring in the first place should be a priority for any organization. Managing your threat surface area and focusing on vulnerability management is crucial to identifying current and future risks and the Lepide Solution can facilitate this. By identifying users with excessive permissions, open shares, inactive users, and more you can significantly lower the risk of a ransomware attack and keep your systems secure.

If you’d like to see how the Lepide Data Security Platform can help you prevent Locky ransomware attacks, schedule a demo with one of our engineers.

Iain Roberts
Iain Roberts

A highly experienced cyber security consultant with 12 years experience in the security arena.

Popular Blog Posts