DeMISTIfying Infosec: Locky

By Katherine Teitler


Locky is ransomware that was first detected on Tuesday, February 16, 2016 as Trojan.cryptolocker.AF. It is a massive malware campaign which encrypts files and adds a .locky extension. Each extension is preceded by a unique 16 character file name.

Locky is spread primarily through spam or phishing campaigns. Each email contains a Word attachment masquerading as an invoice for the recipient. When the user opens the Word doc,text is scrambled anduser is prompted to enable macros to read the text. The macros are malicious, however.


Enabling macros triggers the malware to save a file to the user’s %Temp%folder, then runs a binary file which downloads the encryption Trojan. Locky scans all local drives for files to encrypt and also unmapped network shares for data files, making nearly every file susceptible to encryption. Locky can also delete Shadow Volume Copies on the machine so the user cannot access or restore them. This results in virtual assurance to the malware authors that anyone without backup files will need to pay the ransom.

Once the malware has executed and files encrypted, the victim receives a pop-up ransom note containing instructions for how to communicate with Locky’s authors (through Tor), pay the ransom, and receive his/her unencrypted files back. The text of the ransom note is localized to the language used in the victim’s system, indicating that Locky’s authors may be geographically dispersed.


Locky was updated after its initial detection. New components made the malware more difficult to detect by commercial tools. Researchers have noted similarities between Locky and Dridex.

Get the DeMISTIfying InfoSec newsletter every Tuesday!


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.