What is Locky?

Our experts have analyzed Locky’s behavior and found it uses various scripting languages for delivery. It has advanced features such as domain generation algorithm, complex spam email campaigns, server-side encryption, and generic PE packers. Since its release, its authors have fine-tuned it and added features to make Locky even more difficult to detect.

The ransomware uses RSA-2048 + AES-128 cipher with ECB mode to encrypt files. Keys are generated on the server side, making manual decryption impossible, and Locky ransomware can encrypt files on all fixed drives, removable drives, network and RAM disk drives. Payment varies between 0.5 and 1 bitcoin.

Who is Locky targeting?

Locky is especially harmful due to the wide range of file formats it affects — including files used by engineers, designers, developers, and testers. That means small businesses are particularly at risk. The top 10 countries hit by Locky are: France, Italy, Germany, Spain, USA, Great Britain, Poland, Japan, Czech Republic, and Canada.

Where does Locky come from?

The malware spreads through fake emails and infected attachments, including .doc, .xls or .zip files. The opened documents don’t display correctly, and the user is asked to “enable macro if data encoding is incorrect”. This is a social engineering technique used to trick people, because once they enable macros, a binary file starts running and downloading Locky.

Taking a deeper look into some of Locky’s components, our Threat Intelligence Team has found clues as to who the authors might be. There is evidence linking Locky to Dridex, a group of hackers who use the same techniques and spam email campaigns. Some believe Locky comes from Russia, because many of its servers are there, and because the ransomware is programmed to exclude Russian PCs from infection.

How to recognize Locky ransomware

Emails infected with Locky are disguised to look like they’re coming from legitimate sources, which is why it’s very difficult to recognize them. Fake messages can have subject lines like “Upcoming Payment – 1 Month Notice”, and allegedly contain an invoice, which is actually a Microsoft Word document with malicious macros.

If Locky has already run and infected files on your computer, it’s probably too late, and you won’t be able to recover them. Encrypted files are given a new extension — often named after gods of Norse and Egyptian mythology — such as .osiris, .odin, .thor, .aesir or .locky. You’ll be prompted to pay a ransom in exchange for the recovery key. The message can be localized, depending on your PC’s location.

How to remove Locky ransomware

In order to remove Locky ransomware, you need to scan your computer with an antivirus and delete the malicious files. However, this will not recover your encrypted documents. You won’t be able to recover them from shadow copies either, because the malware simply deletes them.

The only solution is to recover your files from backup, but make sure to remove Locky first, because the ransomware can affect files on external drives too.

How to prevent Locky ransomware

Most ransomware trojans spread via fake and spam emails. Here’s how to protect your files from Locky:

  • Use an up-to-date antivirus
  • Use internet protection that helps you avoid fake emails and spam
  • Don’t open suspicious emails or attachments from unverified sources. Remember that banks, companies and agencies don’t ask for personal information via email
  • Disable Microsoft Office macros by default
  • Back important files up, either online or on external drives
  • Make sure your operating system is updated and patched
Use anti-malware to protect yourself

As an Avast user, you should have nothing to worry about. If you’re software is up-to-date, you are fully protected against Locky and any other malware. Our experts monitor new email campaigns every day, to create new URL detections and protect you from the latest threats.

Why Avast?
  • Consistently rated “excellent” by industry experts
  • Trusted by 400 million people worldwide
  • It’s the "Antivirus with the lowest impact on PC performance” (AV comparatives)
  • Best features - unbreakable password security, home network protection, browser cleaning and much more
  • All for FREE