The Locky ransomware

Locky is a type of malware that can encrypt critical files on your computer and hold them hostage while demanding a ransom payment.

The cybercriminals promise to give users a Locky ransomware decryption key that only they possess, thus compelling victims to pay the ransom.


Where does Locky come from?

Locky relies on social engineering techniques to get onto victims’ computers, with email as its transmission vector of choice.

This ransomware first emerged in 2016 and spread quickly throughout many regions of the world, including North America, Europe, and Asia.

One of the first major attacks targeted a hospital in Los Angeles, forcing them to hand over a $17,000 ransom payment.

A sustained campaign against other healthcare institutions continued throughout the year. Since then, there haven’t been any other significant Locky attacks.

Researchers were able to uncover evidence linking the new ransomware to a notorious hacking collective known as Dridex.


How does it work?

Targets receive a fraudulent email containing a malicious attachment that delivers Locky onto their computer.

These emails are often disguised as payment invoices, with subjects such as “Upcoming Payment – 1 Month Notice”. No one likes owing money, and this feeling is what motivates victims to open emails.

Once you open the email, you’ll be directed to download an attachment, often a Microsoft Word document.

The contents of the document are intentional gibberish, and here’s where social engineering comes into play.

After you open the attached document, it’ll prompt you to enable your Word macros so that its contents can be displayed properly (a macro is somewhat like a shortcut that performs some sort of automated function).

Going along with the prompt and enabling your macros also activates a malicious script that installs the latest version of Locky on your computer.

As soon as this happens, your files are locked uptight. One reason Locky is so dangerous is because of the variety of files that it can encrypt. In addition to Microsoft Office files and videos, Locky can even scramble your computer’s source code, which makes your computer unusable.

Your files will be renamed and have their extensions changed to new ones, which may include .aesir, .odin, .osiris, .thor, and .locky itself.

At this point, Locky will show you its ransom note, localized to your area. You’ll be asked to install the Tor browser and transfer a fee in Bitcoin (BTC) in exchange for the decryption key.


How to remove Locky ransomware

If you’re facing a Locky infection, an anti-malware program will be able to remove it along with any associated malware from your computer.

Note that removing ransomware will not decrypt and restore your files. There is currently no known cure for Locky’s encryption methods, and so once it gets ahold of your files, they are gone.

The only reliable way to recover your files from a Locky infection is to restore them from an uninfected backup — that’s why it’s so crucial to stay one step ahead of the hackers and perform regular backups of your computer.


How to prevent Locky ransomware

Ransomware is one of the most difficult types of malware to deal with once you’ve been infected, so prevention is always going to be your best defense strategy.

The following tips can be helpful in protecting your device from Locky and other ransomware:

  • Regularly back up your files: Whether you’re using a cloud service or an external drive, back your files up from time to time. If you’ve opted for an external storage device, disconnect it as soon as your backup is complete. Locky can spread to any connected devices as well as any networks it can access, so be sure to put your backup drive away.
  • Don’t download unverified attachments: Email-loving cybercriminals are counting on victims to download their attachments. Ignore unverified attachments, and don’t click on any links in emails from unknown senders.
  • Use an anti-malware tool: A trustworthy cybersecurity solution will defend you against not just ransomware, but all types of malware and hacking attacks.
  • Keep your software up-to-date: Many malware attacks rely on security holes in outdated software. Make sure to install software patches and updates as soon as they are available.
  • Disable macros in your Microsoft Office programs: Locky’s installation technique kicks in when you enable macros in the attached Word document. Disable macros by default, and then never choose to enable them unless you’re absolutely certain the document is safe.