Skip to main content

An aggressive campaign of Locky ransomware

Release Date: 18 Mar 2016 5802 Views

An aggressive campaign of a new ransomware Locky is observed. Locky became active since February 2016. It encrypts files found on victims’ computers or network shares and adds a ".locky" file extension to them. Because strong encryption algorithms (RSA and AES) were used, infected files became practically unrecoverable. Locky display a ransom note in local language, demanding a ransom of 0.5 to 1 bitcoin (1 bitcoin = approximately HKD 3,200) in exchange of the decryption keys (See Figure 1).



 Figure 1. Locky displays the ransom note in localized language as wallpaper


Locky ransomware in the wild


Cyber criminals are aggressively pushing Locky through global spam campaign and massive compromised websites. Locky is spreading very fast on the Internet. As of March 18, HKCERT received 18 reports of Locky ransomware, with 11 received in the past two days. The victims included SMEs and non-government organizations. From the outreach to education sector we believe there should be many more unreported cases.


Locky’s bitcoins ransom collection website is the same as that of some other ransomwares. It is hidden inside the Tor network. A possible evidence of rapid growth of the malware is reflected in the sharp rise in unique .onion address used for Tor’s hidden services (Known as .onion sites) for illegal purposes (see Figure 2). 



Figure 2. Number of unique .onion address (Source:


Global spam campaign


One main path of infection is through spam email campaign. Many of the scam messages disguise as invoices or payment voucher (see Figure 3). The senders were from the victims’ email domain or unknown senders. 

Figure 3. Example of Spam Email Messages 
The email attachments are Word or Excel files containing a malicious macros, or a “.zip” file containing a malicious “.js”. The victim is prompted to enable macro feature (see Figure 4). Once the macro is granted to run, it will install Locky onto the victim’s computer. 
Figure 4.  Do not turn on malicious Macros in Word Doc 

Distributed via Massive Compromised Website

The hackers also deploy Locky to the victims by compromised website. The infected websites are injected with some malicious scripting code. Visitors of the websites are redirected to another exploit website. The exploit website serves attack on vulnerabilities of the vistors’ systems and installed applications. The attack mainly target Microsoft Internet Explorer browser. The Locky malware will be downloaded to victims' computer.

Features making Locky dangerous

Locky is equipped with advanced features, such as time based domain generation algorithm, custom encryption communication, TOR network support , BitCoin Payment function, strong file encryption algorithm(RSA-2048+AES128) and is able to encrypt over 160 different file types. Cyber criminals have managed to spread the malware in a very short of time. Besides the effort in spam campaign, the low detection rate of new sample (as shown on VirusTotal) is also a contributing factor.

Mitigating Risks of Locky Malware

HKCERT issued a security bulletin on Locky on 18 March 2016. You can refer to this URL: /my_url/en/alert/16031701.
Users are advised to take these steps to mitigate the risks:


  • Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
  • Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Do not enable it if in doubt.
  • Regularly backup the files stored on your computer, and keep an offline copy of the backup.
  • Always keep your security software up to date.
  • Keep your operating system and other software updated.
  • Once infected, isolate the infected computer from the network and external storage immediately. Do not open any file before clearing the malware.
  • We do not recommend paying the ransome.
Locky ransomware is currently a hot topic in ransomware sphere. Cyber criminals are making a lot of profit out of it so they will continue to make it very popular. Unfortunately, there is no easy ways to get data back once you get infected. So you should take our advice to prevent and prepare for its attack.