Locky Ransomware: How to Protect yourself against this digital hijacker

Imagine: you’re sitting at your computer, minding your own business, and then suddenly, bam! Your screen locks up, and you’re faced with a chilling message demanding a ransom to regain access to your files. That’s the dark magic of Locky Ransomware in action!

In this article, we’ll explore What’s Locky Ransomware? What makes it so dangerous? How has it spread like wildfire across the digital landscape? And some essential tips to protect yourself from becoming a victim. So let’s get started!

What is Locky Ransomware?

Locky Ransomware is a notorious and sophisticated malware that gained infamy in cybersecurity around 2016. It belongs to a class of malicious software known as ransomware, designed to encrypt files on a victim’s computer or network, making them inaccessible to the user. 

To regain access to the files, the victim is then extorted to pay a ransom, usually in cryptocurrency like Bitcoin, to the attackers who hold the decryption key.

The name “Locky” was given to this ransomware due to its extension to encrypted files, which typically looks like “.locky.” Once a system is infected, Locky quickly encrypts many file types, including documents, images, videos, and more. The victim is left with a pop-up message or a text file on their desktop, providing instructions on how to pay the ransom and obtain the decryption key.

Source: PCrisk

How does it infect your system?

Locky employs various tactics to infect systems, with email attachments being its primary and most common propagation method. Here’s a breakdown of how Locky Ransomware infects a system:

Malicious email attachments

The most prevalent method used by Locky is spam emails containing infected attachments. The cybercriminals behind Locky distribute massive spam campaigns, sending out emails that appear legitimate and convincing. These emails often mimic popular companies, financial institutions, or government agencies to trick users into believing they are authentic.

Social Engineering techniques

The content of these malicious emails is carefully crafted to entice the recipient into opening the attached file. Common tactics include urgent messages claiming to be invoices, payment receipts, shipping information, or even legal notices. The sense of urgency and relevance manipulate users into opening the attachment without thinking twice.

Malicious document attachments

The email attachment is usually a Microsoft Office document (e.g., Word or Excel) containing malicious macros. The malicious code is executed when the user opens the document and enables macros (which may be prompted as a necessary step for viewing the content correctly).

Exploiting vulnerabilities

Locky can also exploit software vulnerabilities to infect systems without user interaction. It may use outdated software or operating system weaknesses to gain unauthorized access and execute its payload.

Malicious websites and compromised servers

Although less common than email attachments, Locky can spread through infected websites or servers. Cybercriminals may use compromised websites to host exploit kits, which can automatically deliver malware to vulnerable systems that visit the site.

Why is it so dangerous?

Locky can encrypt a wide range of data, which enhances this threat. Locky can scramble your computer’s source code and Microsoft Office documents and videos, rendering your computer useless. Your files will receive new names and extension changes, such as .aesir, .odin, .osiris, .thor, and .locky.

Source: Vade Secure

At this moment, Locky will display a customized ransom message for your file’s location. To obtain the decryption key, you must download the Tor browser and provide payment in Bitcoin (BTC). As of November 2019, typical ransom demands vary from 0.5 to 1.0 Bitcoin (BTC), or around $4,000 to $8,000. Locky can also encrypt your BTC wallet if installed on your PC.

Famous Locky Ransomware and its Variants attacks

Following are some notable Locky Ransomware incidents:

1. Hollywood Presbyterian Medical Center (2016)

One of the earliest and most infamous incidents involving Locky occurred in February 2016 when the Hollywood Presbyterian Medical Center in Los Angeles, California, became a victim. 

The hospital’s computer systems were infected with Locky Ransomware, which led to a significant disruption of operations. The hospital’s administrators ultimately decided to pay a ransom of 40 Bitcoin (approximately $17,000 at the time) to regain access to their encrypted files.

Source: Forbes

2. The Lukitus Campaign (2017)

In September 2017, a massive Locky Ransomware campaign called “Lukitus” struck the cybersecurity world. The campaign sent out 23 million spam emails with malicious attachments containing the Locky payload. 

The emails claimed to be related to a “New Order” and urged recipients to open the attachments to view details. The Lukitus campaign demonstrated Locky’s distribution methods’ widespread impact and effectiveness.

Source: TrendMicro

Source: TrendMicro

3. Locky Returns with Diablo and Lukitus Variants (2017-2018)

Locky continued its reign in 2017 and 2018 with new variants, including Diablo and Lukitus. These variants targeted both individual users and organizations, spreading through spam emails and malicious attachments. 

The attackers regularly updated their tactics and file extensions to evade detection and maximize their potential for extortion.

Source: ZDNET

4. The Necurs Botnet Campaign (2018)

In the latter part of 2018, Locky made a resurgence through a massive spam campaign delivered by the notorious Necurs botnet. Necurs, one of the largest botnets in the world, had millions of emails containing malicious attachments that distributed Locky Ransomware. 

This campaign showed the collaboration between different cybercriminal groups in spreading malware.

Source: Cisco Talos

Locky’s decline

After its peak in 2016 and 2017, Locky’s prevalence declined. However, its impact on the cybersecurity landscape and its legacy as a significant ransomware strain remained. 

Over time, other ransomware families, such as Ryuk and Sodinokibi (REvil), emerged and gained notoriety, continuing the tradition of exploiting organizations for financial gain through ransomware attacks.

How to detect this Ransomware

Detecting Locky Ransomware can be challenging, as it often operates silently until it completes its encryption process and displays the ransom note. However, there are some signs and behaviors that may indicate the presence of Locky Ransomware on a system:

1. File Extension changes

Look for files with unusual extensions like “.locky,” “.zepto,” “.odin,” “.aesir,” or others appended to their original file extensions. Locky Ransomware encrypts files and adds its unique extension to them.

2. Inaccessible files

If you suddenly find that your files are inaccessible or receive error messages when opening them, it might be a sign of ransomware activity.

3. Ransom note

Locky typically displays a ransom note in a text file or as a pop-up on the desktop. The notice will demand a ransom payment in cryptocurrency (like Bitcoin) for the decryption key.

4. Changes to Desktop Background or Wallpaper

Some variants of Locky might modify your desktop background to display the ransom note, further emphasizing that your files are encrypted.

Your system is infected! What to do now?

If your system gets infected with Locky, and you think of paying the ransom, think again. While spending the ransom might seem tempting when you’re desperate to regain control of your computer or files, it’s essential to understand the potential risks and implications involved. 

We strongly advise against paying the ransom to cybercriminals for several reasons, and this aligns with the FBI’s stance on the matter.

• Firstly, no guarantee paying the ransom will result in recovering your files. Some victims who have paid the ransom never received the promised decryption keys, leaving them with encrypted data and financial loss.

• Secondly, paying cybercriminals only encourages and motivates them to continue their illegal activities. It incentivizes them to target other organizations and individuals, perpetuating the cycle of ransomware attacks.
• Also, specific ransomware variants may have flaws in their encryption algorithms, making it impossible to recover the data even with a valid decryption key.

Do this to stay safe against Locky Ransomware!

Here are some vital actions and safety measures to prevent ransomware attacks:

1. Regularly back up and keep your Data in a vault

Regularly backup your data and keep it somewhere other than your primary computer or network. Keep backups offline and encrypted in a secure vault to shield backups from ransomware outbreaks. Backups can help you recover crucial data in the event of an attack.

2. Raise awareness and Provide training

Inform staff members of the dangers of ransomware and the typical distribution methods, such as phishing emails. Users can be equipped to identify and steer clear of possible risks by receiving training on information security best practices and principles.

3. Keep systems and applications updated

Quickly apply operating system, software, and firmware patches and upgrades. This procedure can be streamlined, minimizing the vulnerability window for prospective attackers.

4. Continue to use effective anti-virus and anti-malware software

Ensure your anti-virus and anti-malware programs are regularly scanned to find and eliminate threats. Also, make sure they are set to update automatically.

5. Use Least Privilege Access Control (LPAC)

Give users only the rights they need to complete their responsibilities, reserving write access for the most critical files, directories, and network shares. The least privileged access lessens a ransomware attack’s potential damage.

6. Disable Macro Scripts in email attachments

To stop malicious code execution, turn off macro scripts in Microsoft Office files you receive over email. Instead, think about using Office Viewer software.

7. Limit Program Execution in vulnerable areas

Use software restriction policies or comparable measures to stop programs from running in known ransomware target areas, such as temporary internet browser files or compression/decompression software.

8. Improve Remote Desktop Protocol (RDP) security

Check for RDP-using systems on your network and safeguard it. To avoid unwanted access, you should close unused RDP ports, employ two-factor authentication when possible, and track RDP login attempts.

9. Utilize application whitelisting

Reduce the risk of unauthorized or harmful software execution by allowing only known and approved programs to execute on systems.

10. Utilize virtualized environments

To provide an additional layer of defense against ransomware assaults, use virtualized operating system environments or specific apps.

11. Websites about unrelated topics must require user interaction

Implement controls that demand user input for end-user applications dealing with websites not listed by the network proxy or firewall. This can stop harmful scripts from unreliable sources from being executed automatically.

Secure your systems with PureMax!

PureMax is an all-in-one security tool that answers all your security problems. It includes:

PureVPN: A Virtual Private Network that will keep your identity anonymous by masking your IP address so that you don’t become the next target of a similar cyber-attack.

PureKeep: Password protection is the first line of defense against cyber-attacks, but creating and keeping a strong password is a tough cookie to crack. With PureKeep, you can create and store encrypted solid passwords easily.

PureEncrypt: Keeping your important files safe and backed up in a separate vault is a must against Ransomware attacks and similar cyber-attacks. PureEncrypt will provide bank-grade security and cloud storage for your digital assets.

PurePrivacy: Online privacy is a must nowadays, and this privacy manager will give exactly that while removing targeted ads, identifying at-risk data, and managing your personal information so that it won’t land in the wrong hands.

Wrapping up

The Locky Ransomware has been one of the most infamous and significant attacks in the cybersecurity world. 

It has cost individuals and organizations across the globe substantial sums of money and disruption due to its ability to encrypt and hold files, hostage. Its transmission through malicious email attachments makes it difficult for cybersecurity experts to identify and stop. 

Proactive measures are the only way to combat Locky and other ransomware. So, it is crucial to maintain vigilance and put strong security measures in place to protect against this severe and persistent cyber threat.

Frequently Asked Questions