Locky Ransomware

April 20, 2016
Suggested Reading

What is Locky ransomware?

Locky is a ransomware variant released in February 2016. Similarly to other ransomware, Locky encrypts files on victims' computers asking for sums of money ranging from BTC 0.5 to BTC 1.00.

Propagation and infection

Locky spreads via spam emails containing attachments in the form of Microsoft Office document formats (.doc, .docx, .xls and .xlsx files) that are usually disguised as invoices. The presumed invoice attachments look like gibberish and prompt the user to enable macros supposedly to change the encoding to render them human-readable. These embedded macros are in fact malicious and once the user enables them, malicious code is executed, fetching the actual malware to the victim's system.

In recent Locky campaigns, JavaScript-based instead of macro-based downloaders were also used. This might be due to the ease of obfuscating JavaScript code to generate new variants of the downloader, ultimately making signature-based detection non-trivial. The malware is delivered by an attached compressed (.zip) file containing an obfuscated JavaScript file. On execution it downloads Locky and installs it on the victim's computer.

Malicious macros

Figure 1: Malicious macros (source)

Subsequently, Locky encrypts files from a wide variety of file extensions, including "wallet.dat" and Volume Snapshot Service (VSS) files (also known as "shadow copies") hereby rendering the user's Bitcoin wallet and Windows live backup snapshots respectively useless. Additionally, it encrypts files in mapped and unmapped network shares, threatening not only local but network data as well. Finally Locky adds a ".locky" extension to all the files it encrypts.

Locky uses a combination of asymmetric (RSA-2048) and symmetric (AES-128) encryption. The RSA public key is used to encrypt the AES shared key which in turn is used for the data encryption. Once Locky completes the encryption process it changes the user's desktop wallpaper with the instructions on how to pay the ransom. The user is assigned an identification ID and is instructed to visit a hidden TOR service in order to pay the ransom and receive the RSA private key and a decryption tool.

Ransom Instructions

Figure 2: Ransom instructions (source)


The ENISA Threat Landscape 2015 recommendations on the protection against ransomware together with the recommendations from known anti-virus vendors (Sophos, Symantec, Avast, McAfee, F-Secure) tailored to Locky, are summarised as follows:

  • Back up regularly and keep recent backup copies offline and if possible off-site. If a computer gets infected by Locky, the files can be restored from a recent backup.
  • Be extremely cautious when any Microsoft Office document prompts you to enable macros in order to view its content. For many years Microsoft macros have been deliberately disabled by default for security reasons. A lot of malware rely on macros thus keep Microsoft Office macros disabled and preferably select the option "Disable all macros with notification" or at least "Disable all macros except digitally signed macros" under the "Macro Settings". A good alternative would be to install the Microsoft Office viewers which do not support macros and at the same time allow users to see how documents look like without opening them in Microsoft Word or Excel itself.
  • Be cautious with unsolicited attachments. Delete any suspicious-looking emails you receive, especially if they contain links or attachments. Consequently do not open suspicious attachments (e.g. .doc, .xls, and .zip files) as well. The implementation of content filtering to avoid spam emails and malicious attachments is also an additional countermeasure.
  • Disable "Windows Script Host" to refrain potentially malicious JScript (.js/.jse) files from running.
  • Restrain administration actions to the minimum e.g. avoid browsing or opening documents with administrator rights and minimize user data access rights to lower the impact of the attack.
  • Implement a policy of blocking the execution of files from certain directories i.e. files that are executed in a temp folder, or implement a white-listing policy indicating the executables that should only be executed on a system.
  • Keeping software known to be prone to vulnerabilities updated to prevent exploit kits from infecting your system. Besides using document macros, malware spreads through security vulnerabilities in popular applications, including Microsoft Office, browsers, Flash etc.
  • Always keep your operating system and security software up to date and apply security patches to protect your system against any new variants of malware.

What did the press say?

Locky ransomware has a few similarities with an older malware called Dridex. Notably their delivery method is very similar. Both are propagated through large spam campaigns with a financial pretext using Office documents with malicious macros. The email message, the attached document, the obfuscation methods used and even the naming convention of the URLs pointing to the payload are similar. These similarities raised suspicions, speculating that both malware may have been created by the same group.

As of 16 February 2016, Palo Alto Networks had observed approximately 446,000 instances containing the malicious macro responsible for dropping Locky into victim machines around the world. Despite this massive spam campaign, according to the Anubis Networks telemetry the actual number of infected machines in two days (between 16 February 2016 and 18 February 2016) was just over 4,500. This may look like a small figure but the potential profit can be substantial for cybercriminals. In theory, for BTC 0.5 (approximately €190) per infection, one can expect a potential gain of €425,000 per day.

According to Palo Alto Networks 54% of the detected instances targeted the United States of America and the next most targeted countries were Canada and Australia. Avast's data indicate that between 18 February 2016 and 7 March 2016, 160 countries around the world were affected by Locky. Despite Locky's indiscriminate distribution, higher education, wholesale, retail and manufacturing businesses as well as hospitals have been impacted the most.

There is a wide variety of publications covering the topic one can refer to, from reports on specific elements of Locky, e.g. the Locky administrator panel to reports providing in-depth analysis of the topic. A good overview of the topic was made available by Sophos and an in-depth and technical analysis of Locky by Avast.


Locky struck on February and has gained much notoriety in less than 2 months. The links with previous malware and the real-time support from the actor behind Locky leave little doubt on the experience, skill and determination of the latter. Encryption malware is increasingly popular and profitable, logically drawing the attention of organised cybercriminal groups.

About "Suggested Reading" from ENISA

With the “Suggested Reading” series ENISA aims at giving the interested reader guidance on controversial and inscrutable NIS related discussions that are carried out in Media, by suggesting selected pre-reviewed articles that in our view explain the issue at hand and related circumstances in a reasonable and understandable manner. This view is derived from past experiences and common sense; in no way should “Suggested Reading” be understood as recommended course of action in a specific incident or investigation, or being a final conclusion. Feel free to get in touch with ENISA to discuss or inquire more information to the “Suggested Reading” series (cert-relations@enisa.europa.eu).

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information