Learn All About Locky Ransomware & How You Can Protect Your Systems From This Ransomware

Learn about Locky Ransomware

The document that the cybercriminal attaches with the invoice displays nothing to the user and just quotes ‘Enable macro if data encoding is incorrect.’

Now, if the user does enable it, then the machine saves and runs a file that installs the Trojan, which further maliciously effects all the stored data with the same extensions. The stored file names later get changed into a combination of 16 numbers and letters. The technique used here is that of social engineering, using bait to get hold of the user and then injecting the virus.


phishing prevention

Locky Ransomware In Detail

The standard reports of infectious malware state the use of an email with a word document attached that contains the enabling code. Once the code is enabled, the program runs, and the Trojan file gets downloaded that infects the system with the malware. The Locky virus launches, which encrypts all the existing files having user access. This ransomware uses a different path – not by using an earlier used exploit but through macros and attachments.

Necurs released an updated version of the Locky malware in June 2016.

The attacker attached the malware with a new loader component that ran on several detection-avoiding methods. These techniques detected whether the Trojan was operating within a physical or a virtual machine and identified the relocation of instruction code. Since the launch of malware, there have been numerous different distribution methods, including Excel attachments with malicious virus, exploit kits, and zipped JS attachments.

The cipher RSA-2048 + AES-120 operated with ECB mode comes in use to encrypt the files. The Locky ransomware is capable of infecting files on all removable drives, RAM, network, fixed drives, and disk drives. And the key to encryption file is generated on the side of the server, which makes manual decryption impossible for any user.


Detection Of Locky In MS Word

The ransomware Locky was first seen in February 2016, containing malicious macros through Microsoft Word documents that encrypt the system files of the user.

  • The code executes by tricking the user into viewing the data included, which further leads the macros to download a Trojan file into the system.
  • The Trojan file spreads the malicious virus that encrypts all the data stored in the respective drives.
  • This version of Locky had spread through phishing emails that contained an invoice number with a notice to remit payment by the attached invoice.
  • The invoice then runs as a Microsoft Word document with the message to enable macros if the invoice isn’t readable.
  • When the user allows for the presented macros, a program runs that stores a Trojan file in the %Temp% folder.

The significant aspect of this malware is that it targets a large number of file extensions altogether. The virus also infects files on unmapped networks, and it also alters file names making it strenuous to restore the correct data. As reports state, the more the number of emails that get through the user’s box, the higher becomes the risk that the individual receiving the mail might open the file, which would, in turn, inject the system with this malware.


ransomware protection


Detection Of Locky In PDF

The Locky ransomware later released an altered mode of delivery. This time the campaign enhanced the possibility of emails sent in personal mailboxes being read and of opening the attachments that contained the malicious virus. The campaign began using PDF file formats to target users. Now embedded with each PDF file is a Microsoft Word document.

  • On clicking to open the PDF file, a request appears to open the attached Word document.
  • The document once opened, doesn’t inject the virus unless the macros are enabled, which, once activated, download the Locky malware into the system. The malware then encrypts the stored data.
  • The latest Locky campaign used several templates in emails, some containing an attached PDF file served with different subjects that make it seem like an invoice, receipt or payment confirmation with no body text.
  • Other templates include a body text full of scanned documents in a PDF format; the various training programs for security awareness mostly cover subjects on such PDF and Word documents infected with macros.
  • Even if the end user’s vigil mind stops him/her from opening any email sent by an unrecognized user, the use of a format like PDF is trustworthy and enhances the possibility of the file being opened.


How To Prevent Locky Ransomware Attack?

Many variants of this Locky malware were released, which made it even tougher to detect and counter each attack. For this, your system requires AI-backed anti-phishing software that is capable of identifying updated variants of this ransomware. A robust anti-phishing tool examines the emails through all its content, analyses the text, scrutinizes the sender, and then provides a pass to the user’s inbox.

Most of the anti-phishing solutions workforce constituting cybersecurity innovators and technologists focus on developing the latest and most secure software to detect and counter phishing, ransomware, and malware attacks.

These software are used with AI-based software that is developed by identifying what is unidentifiable, thus fulfilling their motto of protecting every email user from the latest threats.

Some methods to prevent the attack are:

  • Installing a quality anti-virus and updating it regularly.
  • An anti-phishing software that can help eliminate spam and phishing emails.
  • Suspicious emails, as well as attachments, should never be opened. Instead, visit the official website, login to your account, and then check the authenticity of the suspicious email.
  • Macros should be disabled in MS Excel so that no macro is run randomly.
  • Cloud backup or backup of the data in an external drive can also help keep your data safe in case the ransomware has compromised your system.
  • The Operating Systems should be updated to the latest version so that necessary patches are installed automatically.


Final Words

The Locky ransomware gets into a user’s system unauthorized and corrupts files via macros. It has evolved to include PDF attachments in emails that make people assume that the mail is not unsafe; however, these PDFs, if opened, download the Trojan, which then locks files in the user’s system. Hence, making wise decisions and measured clicks while skimming through emails is very important for one’s security online.

Join the thousands of organizations that use DuoCircle

Find out how affordable it is for your organization today and be pleasantly surprised.

Interested in our Partner Program for MSPs and VARs? Visit Our MSP Partner Program.

Pin It on Pinterest