The ransomware uses RSA-2048 + AES-128 cipher with ECB mode to encrypt files. Keys are generated on the server side, making manual decryption impossible, and Locky ransomware can encrypt files on all fixed drives, removable drives, network and RAM disk drives. Payment varies between 0.5 and 1 bitcoin.
Who is Locky targeting?
Locky is especially harmful due to the wide range of file formats it affects — including files used by engineers, designers, developers, and testers. That means small businesses are particularly at risk. The top 10 countries hit by Locky are: France, Italy, Germany, Spain, USA, Great Britain, Poland, Japan, Czech Republic, and Canada.
Where does Locky come from?
The malware spreads through fake emails and infected attachments, including .doc, .xls or .zip files. The opened documents don’t display correctly, and the user is asked to “enable macro if data encoding is incorrect”. This is a social engineering technique used to trick people, because once they enable macros, a binary file starts running and downloading Locky.
Taking a deeper look into some of Locky’s components, our Threat Intelligence Team has found clues as to who the authors might be. There is evidence linking Locky to Dridex, a group of hackers who use the same techniques and spam email campaigns. Some believe Locky comes from Russia, because many of its servers are there, and because the ransomware is programmed to exclude Russian PCs from infection.
How to recognize Locky ransomware
Emails infected with Locky are disguised to look like they’re coming from legitimate sources, which is why it’s very difficult to recognize them. Fake messages can have subject lines like “Upcoming Payment – 1 Month Notice”, and allegedly contain an invoice, which is actually a Microsoft Word document with malicious macros.
If Locky has already run and infected files on your computer, it’s probably too late, and you won’t be able to recover them. Encrypted files are given a new extension — often named after gods of Norse and Egyptian mythology — such as .osiris, .odin, .thor, .aesir or .locky. You’ll be prompted to pay a ransom in exchange for the recovery key. The message can be localized, depending on your PC’s location.
How to remove Locky ransomware
In order to remove Locky ransomware, you need to scan your computer with an antivirus and delete the malicious files. However, this will not recover your encrypted documents. You won’t be able to recover them from shadow copies either, because the malware simply deletes them.
The only solution is to recover your files from backup, but make sure to remove Locky first, because the ransomware can affect files on external drives too.
How to prevent Locky ransomware
Most ransomware trojans spread via fake and spam emails. Here’s how to protect your files from Locky:
Use an up-to-date antivirus
Use internet protection that helps you avoid fake emails and spam
Don’t open suspicious emails or attachments from unverified sources. Remember that banks, companies and agencies don’t ask for personal information via email
Disable Microsoft Office macros by default
Back important files up, either online or on external drives
Make sure your operating system is updated and patched