Table of Contents
Imagine: you’re sitting at your computer, minding your own business, and then suddenly, bam! Your screen locks up, and you’re faced with a chilling message demanding a ransom to regain access to your files. That’s the dark magic of Locky Ransomware in action!
In this article, we’ll explore What’s Locky Ransomware? What makes it so dangerous? How has it spread like wildfire across the digital landscape? And some essential tips to protect yourself from becoming a victim. So let’s get started!
Locky Ransomware is a notorious and sophisticated malware that gained infamy in cybersecurity around 2016. It belongs to a class of malicious software known as ransomware, designed to encrypt files on a victim’s computer or network, making them inaccessible to the user.
To regain access to the files, the victim is then extorted to pay a ransom, usually in cryptocurrency like Bitcoin, to the attackers who hold the decryption key.
The name “Locky” was given to this ransomware due to its extension to encrypted files, which typically looks like “.locky.” Once a system is infected, Locky quickly encrypts many file types, including documents, images, videos, and more. The victim is left with a pop-up message or a text file on their desktop, providing instructions on how to pay the ransom and obtain the decryption key.
Source: PCrisk
Locky employs various tactics to infect systems, with email attachments being its primary and most common propagation method. Here’s a breakdown of how Locky Ransomware infects a system:
The most prevalent method used by Locky is spam emails containing infected attachments. The cybercriminals behind Locky distribute massive spam campaigns, sending out emails that appear legitimate and convincing. These emails often mimic popular companies, financial institutions, or government agencies to trick users into believing they are authentic.
The content of these malicious emails is carefully crafted to entice the recipient into opening the attached file. Common tactics include urgent messages claiming to be invoices, payment receipts, shipping information, or even legal notices. The sense of urgency and relevance manipulate users into opening the attachment without thinking twice.
The email attachment is usually a Microsoft Office document (e.g., Word or Excel) containing malicious macros. The malicious code is executed when the user opens the document and enables macros (which may be prompted as a necessary step for viewing the content correctly).
Locky can also exploit software vulnerabilities to infect systems without user interaction. It may use outdated software or operating system weaknesses to gain unauthorized access and execute its payload.
Although less common than email attachments, Locky can spread through infected websites or servers. Cybercriminals may use compromised websites to host exploit kits, which can automatically deliver malware to vulnerable systems that visit the site.
Locky can encrypt a wide range of data, which enhances this threat. Locky can scramble your computer’s source code and Microsoft Office documents and videos, rendering your computer useless. Your files will receive new names and extension changes, such as .aesir, .odin, .osiris, .thor, and .locky.
Source: Vade Secure
At this moment, Locky will display a customized ransom message for your file’s location. To obtain the decryption key, you must download the Tor browser and provide payment in Bitcoin (BTC). As of November 2019, typical ransom demands vary from 0.5 to 1.0 Bitcoin (BTC), or around $4,000 to $8,000. Locky can also encrypt your BTC wallet if installed on your PC.
Following are some notable Locky Ransomware incidents:
One of the earliest and most infamous incidents involving Locky occurred in February 2016 when the Hollywood Presbyterian Medical Center in Los Angeles, California, became a victim.
The hospital’s computer systems were infected with Locky Ransomware, which led to a significant disruption of operations. The hospital’s administrators ultimately decided to pay a ransom of 40 Bitcoin (approximately $17,000 at the time) to regain access to their encrypted files.
Source: Forbes
In September 2017, a massive Locky Ransomware campaign called “Lukitus” struck the cybersecurity world. The campaign sent out 23 million spam emails with malicious attachments containing the Locky payload.
The emails claimed to be related to a “New Order” and urged recipients to open the attachments to view details. The Lukitus campaign demonstrated Locky’s distribution methods’ widespread impact and effectiveness.
Source: TrendMicro
Source: TrendMicro
Locky continued its reign in 2017 and 2018 with new variants, including Diablo and Lukitus. These variants targeted both individual users and organizations, spreading through spam emails and malicious attachments.
The attackers regularly updated their tactics and file extensions to evade detection and maximize their potential for extortion.
Source: ZDNET
In the latter part of 2018, Locky made a resurgence through a massive spam campaign delivered by the notorious Necurs botnet. Necurs, one of the largest botnets in the world, had millions of emails containing malicious attachments that distributed Locky Ransomware.
This campaign showed the collaboration between different cybercriminal groups in spreading malware.
Source: Cisco Talos
After its peak in 2016 and 2017, Locky’s prevalence declined. However, its impact on the cybersecurity landscape and its legacy as a significant ransomware strain remained.
Over time, other ransomware families, such as Ryuk and Sodinokibi (REvil), emerged and gained notoriety, continuing the tradition of exploiting organizations for financial gain through ransomware attacks.
Detecting Locky Ransomware can be challenging, as it often operates silently until it completes its encryption process and displays the ransom note. However, there are some signs and behaviors that may indicate the presence of Locky Ransomware on a system:
Look for files with unusual extensions like “.locky,” “.zepto,” “.odin,” “.aesir,” or others appended to their original file extensions. Locky Ransomware encrypts files and adds its unique extension to them.
If you suddenly find that your files are inaccessible or receive error messages when opening them, it might be a sign of ransomware activity.
Locky typically displays a ransom note in a text file or as a pop-up on the desktop. The notice will demand a ransom payment in cryptocurrency (like Bitcoin) for the decryption key.
Some variants of Locky might modify your desktop background to display the ransom note, further emphasizing that your files are encrypted.
If your system gets infected with Locky, and you think of paying the ransom, think again. While spending the ransom might seem tempting when you’re desperate to regain control of your computer or files, it’s essential to understand the potential risks and implications involved.
We strongly advise against paying the ransom to cybercriminals for several reasons, and this aligns with the FBI’s stance on the matter.
Here are some vital actions and safety measures to prevent ransomware attacks:
Regularly backup your data and keep it somewhere other than your primary computer or network. Keep backups offline and encrypted in a secure vault to shield backups from ransomware outbreaks. Backups can help you recover crucial data in the event of an attack.
Inform staff members of the dangers of ransomware and the typical distribution methods, such as phishing emails. Users can be equipped to identify and steer clear of possible risks by receiving training on information security best practices and principles.
Quickly apply operating system, software, and firmware patches and upgrades. This procedure can be streamlined, minimizing the vulnerability window for prospective attackers.
Ensure your anti-virus and anti-malware programs are regularly scanned to find and eliminate threats. Also, make sure they are set to update automatically.
Give users only the rights they need to complete their responsibilities, reserving write access for the most critical files, directories, and network shares. The least privileged access lessens a ransomware attack’s potential damage.
To stop malicious code execution, turn off macro scripts in Microsoft Office files you receive over email. Instead, think about using Office Viewer software.
Use software restriction policies or comparable measures to stop programs from running in known ransomware target areas, such as temporary internet browser files or compression/decompression software.
Check for RDP-using systems on your network and safeguard it. To avoid unwanted access, you should close unused RDP ports, employ two-factor authentication when possible, and track RDP login attempts.
Reduce the risk of unauthorized or harmful software execution by allowing only known and approved programs to execute on systems.
To provide an additional layer of defense against ransomware assaults, use virtualized operating system environments or specific apps.
Implement controls that demand user input for end-user applications dealing with websites not listed by the network proxy or firewall. This can stop harmful scripts from unreliable sources from being executed automatically.
PureMax is an all-in-one security tool that answers all your security problems. It includes:
PureVPN: A Virtual Private Network that will keep your identity anonymous by masking your IP address so that you don’t become the next target of a similar cyber-attack.
PureKeep: Password protection is the first line of defense against cyber-attacks, but creating and keeping a strong password is a tough cookie to crack. With PureKeep, you can create and store encrypted solid passwords easily.
PureEncrypt: Keeping your important files safe and backed up in a separate vault is a must against Ransomware attacks and similar cyber-attacks. PureEncrypt will provide bank-grade security and cloud storage for your digital assets.
PurePrivacy: Online privacy is a must nowadays, and this privacy manager will give exactly that while removing targeted ads, identifying at-risk data, and managing your personal information so that it won’t land in the wrong hands.
The Locky Ransomware has been one of the most infamous and significant attacks in the cybersecurity world.
It has cost individuals and organizations across the globe substantial sums of money and disruption due to its ability to encrypt and hold files, hostage. Its transmission through malicious email attachments makes it difficult for cybersecurity experts to identify and stop.
Proactive measures are the only way to combat Locky and other ransomware. So, it is crucial to maintain vigilance and put strong security measures in place to protect against this severe and persistent cyber threat.
Locky itself is not currently active, but various other variants of the Locky ransomware have emerged in its absence. These new variants have been observed using different file extensions for encrypting files, continuing the legacy of Locky’s ransomware techniques.
Ransomware is not designed to steal data. Instead, it aims to lock the victim out of their files and extort payment for their release. Still, there is another type of ransomware known as “Leakware” or “Doxware,” which combines traditional ransomware with data theft in which ransomware encrypts the victim’s files and steals sensitive data from the system.
Locky Ransomware primarily targets businesses, with healthcare being the most prominent victim. Hackers send phishing emails to hospitals to exploit their less secure patient data storage practices and the criticality of retrieving patient data.
You should immediately contact your local law enforcement agency or cybercrime unit to report a ransomware attack. Additionally, inform your organization’s IT or security team so they can take appropriate actions to contain the attack and gather evidence for further investigation.