Skip to main content

HKCERT Security Alert: Locky Ransomware in the Wild

Release Date: 22 Mar 2016 2974 Views

[Press released on 18 Mar 2016]


The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) of the Hong Kong Productivity Council today (18 March 2016) alerted the public to be vigilant to the Locky ransomware attacks that hold data hostage and demand ransom from the victim.


The alert came as HKCERT recorded a sudden surge in the number of incidents in the past few days. Since mid-February, HKCERT has received 18 reports of Locky ransomware, but 15 of which were received from 16 to 18 March. The victims included local SMEs and non-Government organizations. HKCERT expects many unreported cases to come as the ransomware is spreading quickly around the world.


HKCERT notes that Locky-encrypted files on the victims’ computers have a “.locky” file extension. Victims will be threatened to pay the ransom in bitcoins to get the decryption key, but there is no guarantee they can obtain the key to recover their data.


Hackers have launched the attacks through globalized massive spam campaigns and compromised many websites to host the malicious code. Victimized computers are infected by opening email attachments or clicking the hyperlinks of websites with malicious code. The attachment can be a macro-enabled Microsoft Office document, or a “.zip” file containing a “.js” javascript file. Locky may request users to turn on the macro feature of Microsoft Office for execution.


On the other hand, a website injected with the malicious code will redirect visitors to an exploit website which hosts the attack code. The latter will further attack the security vulnerabilities of the users’ computer system and applications and install the Locky ransomware. The malicious code usually targets Internet Explorer users.


To protect data from ransomware attacks, HKCERT advises Internet users to regularly backup data and keep an offline copy of the backup, and keep security software updated, patch system and other software. The macro feature of Microsoft office should be turned off, and only re-enabled temporarily when necessary and under secure condition. In addition, users are advised to delete any suspicious emails received.


For incidents reporting or enquiries, please contact the HKCERT hotline at tel: (852) 8105 6060, or email: [email protected].