Select language
Avast Academy Security Ransomware What is Locky Ransomware? How it Works and How to Remove it

Locky Ransomware

Locky is a type of ransomware released in 2016 by a group of highly skilled hackers. It uses social engineering to infect Windows PCs, comes with powerful features to disguise itself, and can encrypt more than 160 types of files, including source code and databases.


What is Locky?

Our experts have analyzed Locky’s behavior and found it uses various scripting languages for delivery. It has advanced features such as domain generation algorithm, complex spam email campaigns, server-side encryption, and generic PE packers. Since its release, its authors have fine-tuned it and added features to make Locky even more difficult to detect.

Hamburguer menu icon

This article contains:

    The ransomware uses RSA-2048 + AES-128 cipher with ECB mode to encrypt files. Keys are generated on the server side, making manual decryption impossible, and Locky ransomware can encrypt files on all fixed drives, removable drives, network and RAM disk drives. Payment varies between 0.5 and 1 bitcoin.

    Who is Locky targeting?

    Locky is especially harmful due to the wide range of file formats it affects — including files used by engineers, designers, developers, and testers. That means small businesses are particularly at risk. The top 10 countries hit by Locky are: France, Italy, Germany, Spain, USA, Great Britain, Poland, Japan, Czech Republic, and Canada.

    Where does Locky come from?

    The malware spreads through fake emails and infected attachments, including .doc, .xls or .zip files. The opened documents don’t display correctly, and the user is asked to “enable macro if data encoding is incorrect”. This is a social engineering technique used to trick people, because once they enable macros, a binary file starts running and downloading Locky.

    Taking a deeper look into some of Locky’s components, our Threat Intelligence Team has found clues as to who the authors might be. There is evidence linking Locky to Dridex, a group of hackers who use the same techniques and spam email campaigns. Some believe Locky comes from Russia, because many of its servers are there, and because the ransomware is programmed to exclude Russian PCs from infection.

    How to recognize Locky ransomware

    Emails infected with Locky are disguised to look like they’re coming from legitimate sources, which is why it’s very difficult to recognize them. Fake messages can have subject lines like “Upcoming Payment – 1 Month Notice”, and allegedly contain an invoice, which is actually a Microsoft Word document with malicious macros.

    If Locky has already run and infected files on your computer, it’s probably too late, and you won’t be able to recover them. Encrypted files are given a new extension — often named after gods of Norse and Egyptian mythology — such as .osiris, .odin, .thor, .aesir or .locky. You’ll be prompted to pay a ransom in exchange for the recovery key. The message can be localized, depending on your PC’s location.



    How to remove Locky ransomware

    In order to remove Locky ransomware, you need to scan your computer with an antivirus and delete the malicious files. However, this will not recover your encrypted documents. You won’t be able to recover them from shadow copies either, because the malware simply deletes them.

    The only solution is to recover your files from backup, but make sure to remove Locky first, because the ransomware can affect files on external drives too.

    How to prevent Locky ransomware

    Most ransomware trojans spread via fake and spam emails. Here’s how to protect your files from Locky:

    • Use an up-to-date antivirus

    • Use internet protection that helps you avoid fake emails and spam

    • Don’t open suspicious emails or attachments from unverified sources. Remember that banks, companies and agencies don’t ask for personal information via email

    • Disable Microsoft Office macros by default

    • Back important files up, either online or on external drives

    • Make sure your operating system is updated and patched


    Protect your iPhone from threats
    with free Avast Mobile Security


    Protect your Android from threats
    with free Avast Mobile Security