Skip to main content

Locky Ransomware Encrypts Victim Data

Last Update Date: 6 Apr 2016 Release Date: 18 Mar 2016 11454 Views

RISK: Extremely High Risk

TYPE: Attacks - Malware

TYPE: Malware

A new variant of ransomware known as Locky has been spreading quickly, through massive spam campaigns and compromised websites. HKCERT has received a lot of reports from victims.


How Locky was spread

  1. Spam email
    Some victims were infected by opening attachments in spam emails:
    • Known titles of the spam emails include the following:
      • ATTN: Invoice J-[RANDOM NUMBERS]
      • Your booking [RANDOM NUMBERS] is confirmed
      • FW: Invoice 2016-M#[RANDOM NUMBER]
    • The malicious email attachment could be a Macro-enabled Microsoft Office document, a ".zip" file containing a javascript (.js) file or in other formats.
    • The attachment is usually a downloader that can evade anti-malware detection.
    • The mail may pretend to be sent from the victim themselves, or from a random people.
  2. Compromised website
    • Some victims were infected by visiting compromised websites. Those websites mainly target Internet Explorer users.


  • Locky encrypts files on victims’ computers and adds a .locky file extension to them.
  • Files on network drives are affected.
  • Data will be unrecoverable due to encryption by ransomware.


To protect yourself from ransomeware:

  • Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
  • Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Do not enable it if in doubt.
  • Regularly backup the files stored on your computer, and keep an offline copy of the backup.
  • Always keep your security software up to date.
  • Keep your operating system and other software updated.
  • Once infected, isolate the infected computer from the network and external storage immediately. Do not open any file before clearing the malware.
  • We do not recommend paying the ransom.

Vulnerability Identifier

  • No CVE information is available

Related Link