Locky is the name of a Ransomware that has been evolving off late, thanks to the constant algorithm upgrade by its authors. Locky, as suggested by its name, renames all the important files on the infected PC giving them an extension .locky and demands ransom for the decryption keys.
Locky ransomware – Evolution
Ransomware has grown at an alarming rate in 2016. It uses Email & Social Engineering to enter your computer systems. Most emails with malicious documents attached featured the popular ransomware strain Locky. Among the billions of messages that used malicious document attachments, around 97% featured Locky ransomware, that is an alarming 64% increase from Q1 2016 when it was first discovered.
The Locky ransomware was first detected in February 2016 and was reportedly sent to a half-million users. Locky came into limelight when in February this year the Hollywood Presbyterian Medical Center paid a $17,000 Bitcoin ransom for the decryption key for patient data. Locky infected Hospital’s data through an email attachment disguised as a Microsoft Word invoice.
Since February, Locky has been chaining its extensions in a bid to deceive victims that they have been infected by a different Ransomware. Locky started originally renaming the encrypted files to .locky and by the time summer arrived it evolved into the .zepto extension, which has been used in multiple campaigns since.
Last heard, Locky is now encrypting files with .ODIN extension, trying to confuse users that it is actually the Odin ransomware.
Locky ransomware mainly spreads via spam emails campaigns run by the attackers. These spam emails have mostly .doc files as attachments that contain scrambled text appearing to be macros.
A typical email used in Locky ransomware distribution may be of an invoice that catches most user’s attention, For instance,
Email subject could be – “ATTN: Invoice P-12345678”, infected attachment – “invoice_P-12345678.doc” (contains Macros that download and install Locky ransomware on computers):”
And Email body – “Dear someone, Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice. Let us know if you have any questions. We greatly appreciate your business!”
Once the user enables macro settings in the Word program, an executable file which is actually the ransomware is downloaded on the PC. Thereafter, various files on the victim’s PC are encrypted by the ransomware giving them unique 16 letter – digit combination names with .shit, .thor, .locky, .zepto or .odin file extensions. All files are encrypted using the RSA-2048 and AES-1024 algorithms and require a private key stored on the remote servers controlled by the cyber criminals for decryption.
Once the files are encrypted, Locky generates an additional .txt and _HELP_instructions.html file in each folder containing the encrypted files. This text file contains a message (as shown below) that informs users of the encryption.
It further states that files can only be decrypted using a decrypter developed by cyber criminals and costing .5 BitCoin. Hence, to get the files back, the victim is asked to install the Tor browser and follow a link provided in the text files/wallpaper. The website contains instructions to make the payment.
There is no guarantee that even after making the payment victim files will be decrypted. But usually to protect its ‘reputation’ ransomware authors usually stick to their part of the bargain.
Locky Ransomware changing from .wsf to .LNK extension
Post its evolution this year in February; Locky ransomware infections have gradually decreased with lesser detections of Nemucod, which Locky uses to infect computers. (Nemucod is a .wsf file contained in .zip attachments in spam email). However, as Microsoft reports, Locky authors have changed the attachment from .wsf files to shortcut files (.LNK extension) that contain PowerShell commands to download and run Locky.
An example of the spam email below shows that it is made to attract immediate attention from the users. It is sent with high importance and with random characters in the subject line. The body of the email is empty.
The spam email typically names as Bill arrives with a .zip attachment, which contains the .LNK files. In opening the .zip attachment, users trigger the infection chain. This threat is detected as TrojanDownloader:PowerShell/Ploprolo.A. When the PowerShell script successfully runs, it downloads and executes Locky in a temporary folder completing the infection chain.
Files types targeted by Locky Ransomware
Below are the files types targeted by Locky ransomware.
.yuv, .ycbcra, .xis, .wpd, .tex, .sxg, .stx, .srw, .srf, .sqlitedb, .sqlite3, .sqlite, .sdf, .sda, .s3db, .rwz, .rwl, .rdb, .rat, .raf, .qby, .qbx, .qbw, .qbr, .qba, .psafe3, .plc, .plus_muhd, .pdd, .oth, .orf, .odm, .odf, .nyf, .nxl, .nwb, .nrw, .nop, .nef, .ndd, .myd, .mrw, .moneywell, .mny, .mmw, .mfw, .mef, .mdc, .lua, .kpdx, .kdc, .kdbx, .jpe, .incpas, .iiq, .ibz, .ibank, .hbk, .gry, .grey, .gray, .fhd, .ffd, .exf, .erf, .erbsql, .eml, .dxg, .drf, .dng, .dgc, .des, .der, .ddrw, .ddoc, .dcs, .db_journal, .csl, .csh, .crw, .craw, .cib, .cdrw, .cdr6, .cdr5, .cdr4, .cdr3, .bpw, .bgt, .bdb, .bay, .bank, .backupdb, .backup, .back, .awg, .apj, .ait, .agdl, .ads, .adb, .acr, .ach, .accdt, .accdr, .accde, .vmxf, .vmsd, .vhdx, .vhd, .vbox, .stm, .rvt, .qcow, .qed, .pif, .pdb, .pab, .ost, .ogg, .nvram, .ndf, .m2ts, .log, .hpp, .hdd, .groups, .flvv, .edb, .dit, .dat, .cmt, .bin, .aiff, .xlk, .wad, .tlg, .say, .sas7bdat, .qbm, .qbb, .ptx, .pfx, .pef, .pat, .oil, .odc, .nsh, .nsg, .nsf, .nsd, .mos, .indd, .iif, .fpx, .fff, .fdb, .dtd, .design, .ddd, .dcr, .dac, .cdx, .cdf, .blend, .bkp, .adp, .act, .xlr, .xlam, .xla, .wps, .tga, .pspimage, .pct, .pcd, .fxg, .flac, .eps, .dxb, .drw, .dot, .cpi, .cls, .cdr, .arw, .aac, .thm, .srt, .save, .safe, .pwm, .pages, .obj, .mlb, .mbx, .lit, .laccdb, .kwm, .idx, .html, .flf, .dxf, .dwg, .dds, .csv, .css, .config, .cfg, .cer, .asx, .aspx, .aoi, .accdb, .7zip, .xls, .wab, .rtf, .prf, .ppt, .oab, .msg, .mapimail, .jnt, .doc, .dbx, .contact, .mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .wallet, .upk, .sav, .ltx, .litesql, .litemod, .lbf, .iwi, .forge, .das, .d3dbsp, .bsa, .bik, .asset, .apk, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .pst, .onetoc2, .asc, .lay6, .lay, .ms11 (Security copy), .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .ke.
How to prevent Locky Ransomware attack
Locky is a dangerous virus that possesses a grave threat to your PC. It’s recommended that you follow these instructions to prevent ransomware and avoid getting infected.
- Always have an anti-malware software and an anti-ransomware software protecting your PC and update it regularly.
- Update your Windows OS and the rest of your software up-to-date to mitigate possible software exploits.
- Back up your important files regularly. It is a good option to have them saved offline than on a cloud storage since virus can reach there as well
- Disable the loading of Macros in Office programs. Opening an infected Word document file could prove risky!
- Do not blindly open mail in the ‘Spam’ or ‘Junk’ email sections. This could trick you into opening up an email containing the malware. Think before clicking on web links on websites or emails or downloading email attachments from senders that you don’t know. Do not click or open such attachments:
- Files with .LNK extension
- Files with.wsf extension
- Files with double dot extension (for example, profile-p29d..wsf).
How to decrypt Locky Ransomware
As of now, there are no decrypters available for Locky ransomware. However, a Decryptor from Emsisoft can be used to decrypt files encrypted by AutoLocky, another ransomware that also renames files to the .locky extension. AutoLocky uses scripting language AutoI and tries to mimic the complex and sophisticated Locky ransomware. You can see the complete list of available ransomware decryptor tools here.