Locky Ransomware

What is a Ransomware?

A ransomware is a malicious program that denies the user access to their own files by hiding/scrambling the files and/or encrypting them with strong encryption algorithms. Then, it forces the victim to pay a ransom through online payment - usually bitcoin - in order to regain access to their data. This type of malware infects your computer or system through various attack vectors. They vary from malicious email attachments, malicious online ads and pop-ups, scam campaigns, to infected downloads. It is important to note that paying the ransom does not guarantee that the victim will regain their data back.


Locky is a relatively new ransomware which started attacking victims early 2016. Recently, Hollywood hospital paid around $17,000 to unlock its medical records due to such infection. In fact, several companies in Lebanon were infected and reverted back to us for help and guidance.
A user gets infected when interacting with malicious online ads and pop-ups. The most common attack vector used is through a Microsoft Word macro file from spam emails or mails from infected contacts. The MS Word macro file when downloaded advises the victim to enable macros if the data encoding is incorrect, as seen in the image below.
When you enable macros, it doesn’t really fix the text encoding as stated, but rather runs the code embedded in the document that drops a malicious file into your system. This malicious file connects to the internet to download Locky ransomware and then runs it.
After the main executable runs, Locky detects your security posture and tries to disable common controls. Then, it searches for common file extensions such as office documents, images, videos, and other data files to encrypt them with strong encryption mechanisms. It commonly uses RSA-4096 with AES-128 which will most likely guarantee that the attacker is the only party able to decrypt the files again. Moreover, some variants of the infection delete Volume Snapshot Service .vss shadow copies created by Microsoft Windows as live backup versions for files, so that the victim won't be able to restore their files to previous uninfected versions.
After encrypting your files, Locky may change your Desktop regularly to the below image or simply places image files in the same folder of the encrypted files to guide you through instructions. The links that appear below are TOR links hosted on the dark web to be accessed only using a TOR-based browser. Following the instructions, the victim may pay a ransom that varies between BTC 0.5 to BTC 1. BTC is short for bitcoin which is an e-currency currently worth of around $400. After paying the ransom, the victim will be provided with his decryption keys to gain their data back.
How to protect yourself?
In order to clean any personal desktop/laptop or infected server, follow the steps mentioned in the below guide by Malware-bytes. Note that most software products mentioned are free.
Malware Removal Guide for Windows

A user should follow certain precautions and steps in order to prevent getting affected by such infection and many other similar malicious programs. What we recommend you to do is detailed below:

Personal Users:

  • Use an up-to-date antivirus system
  • Install Adblock Plus extension on all your internet browsers: Install Adblock Plus
  • Try to avoid the use office macros and disable them: DisableMacros in Office documents
  • Don’t open email attachments from unknown contacts
  • Backup your critical files and save them on a remote storage
  • Keep your system up-to-date and patched
  • Don’t provide administrator privileges to running programs if you are not sure

IT Departments:

  • Restrict downloads of Microsoft Word macro files and disable them on your domain if possible
  • Use email filters to detect spam and malicious attachments. We suggest you use Cisco's Ironport Email Security Appliance
  • Use a web filter to disable online ads, pop-ups and blacklisted domains. We suggest you use BlueCoat Web Proxy
  • Restrict the download of malicious files and  executables. We suggest you use BlueCoat Web Proxy
  • Make sure your AV system is up-to-date
  • Backup your files regularly and keep a backup of critical data off-site
  • Only use administrator privilege/accounts when needed
  • In case of infection, always isolate the targets
Next Post »