What is a Locky file? - Darwin's Data

A Locky file is a type of ransomware that encrypts a victim’s files and demands payment in order to decrypt them. Locky has been one of the most widespread and damaging ransomware variants in recent years.

What is ransomware?

Ransomware is a form of malicious software (malware) that encrypts or locks a victim’s files until a ransom is paid. The ransom demand is usually in the form of cryptocurrency, such as Bitcoin, that is difficult to trace. Once installed, ransomware will systematically encrypt files on the infected device and any connected drives or networks.

Some key characteristics of ransomware include:

Prevents access to files, systems or networks
Demands payment to restore access (the “ransom”)
Encrypts files so they cannot be decrypted without a key

May delete files or make them permanently inaccessible if the ransom is not paid
Ransoms demanded typically range from hundreds to thousands of dollars
Payments are often demanded in cryptocurrency, such as Bitcoin

Ransomware attacks have become increasingly common due to the availability of ransomware kits on the dark web that allow cybercriminals to more easily carry out attacks. According to one report, global ransomware damage costs were predicted to reach $20 billion by 2021.

History of Locky ransomware

The Locky ransomware was first observed in early 2016, infecting systems through spam email campaigns that distributed Microsoft Office documents infected with malicious macros. When opened, these macros would install the Locky malware that would proceed to encrypt files on the system.

Locky initially used RSA-2048 and AES-128 encryption algorithms to encrypt files, appending the .locky extension. The ransom demands were typically for 0.5 to 1 bitcoin ($400 to $800 at the time).

By mid-2016, Locky developers began distributing variant strains and using different techniques to evade detection. This included utilizing compromised WordPress sites to spread malicious script downloads.

Throughout 2016 and 2017, Locky remained one of the top ransomware threats globally. However, Locky infections began to decline in 2018 as new ransomware strains emerged. The operators behind Locky were estimated to have extorted nearly $7.8 million in ransom payments.

Timeline of major Locky developments

February 2016 – First Locky variant identified

March 2016 – Locky spreads via fake invoice emails with Word docs
April 2016 – Locky expands distribution to fake shipping confirmation emails
June 2016 – Locky shifts from RSA encryption to AES encryption

August 2016 – Locky abuses Windows PowerShell for distribution
October 2016 – Locky operators compromise WordPress sites for watering hole attacks
December 2016 – Diverse Locky campaigns target over 100 countries

May 2017 – WannaCry ransomware attack impacts systems worldwide
September 2017 – Locky distributes updates to evade new malware defenses
2018 – Locky infections decline as operators switch tactics

How Locky is distributed

Locky ransomware is primarily spread through spam email campaigns or drive-by downloads from compromised websites. Some of the most common distribution tactics have included:

Malicious email attachments

Spam emails containing infected Office document attachments (Word, Excel, PowerPoint). When opened, the documents trigger macros that download and install Locky.

Phishing links

Emails with links to websites hosting Locky installers. Links purport to be invoices, shipping notices, or other files but lead to malware.

Compromised websites

Hacked websites and vulnerable web servers used to host Locky installers. Users visiting these sites may have malware automatically downloaded.

Social engineering

Emails pretend to be from trusted sources or entities to trick users into installing malware. May spoof legitimate companies, invoices, or attachments.

In addition to these tactics, other malware infections on a system could potentially download and install Locky as a secondary payload.

How Locky encrypts files

Once installed on a computer, Locky will first generate a pair of RSA-2048 public and private keys. The private key is encrypted and sent back to the Locky command and control servers operated by the attackers.

Locky then traverses all available drives and networked folders on the infected system. It encrypts a wide range of files using AES-128 encryption paired with the previously generated public RSA-2048 key. This hybrid encryption prevents decryption without the private key held by the attackers.

Locky typically encrypts files with the following extensions:

.sql	.mp4	.7z
.mdb	.avi	.rar
.accdb	.mpeg	.tar
.dbx	.mpg	.bak
.doc	.mp3	.dss
.docx	.wmv	.psd
.xls	.mpe	.ai
.xlsx	.mov	.cdr
.ppt	.flv	.indd
.pptx	.3gp	.cs

An encrypted file will typically have the same name but with the .locky extension appended. For example, document.docx would become document.docx.locky.

Locky encryption process

Generate RSA-2048 public and private key pair
Encrypt RSA private key and send to command server

Traverse all drives and folders on infected system
Encrypt files with AES-128 and RSA public key
Append .locky extension to encrypted files

Without access to the private key, these AES encrypted files cannot be decrypted. Only the Locky operators have the private key to unlock the encryption.

Locky ransom notes

After encrypting a victim’s files, Locky will create ransom notes in each folder with encrypted files. These ransom notes are typically named _HELP_RECOVER_INSTRUCTIONS.txt or _DECRYPT_INSTRUCTIONS.html.

The notes provide information on how much is being demanded as a ransom and instructions for payment. Here is an example of a Locky ransom note:

YOUR FILES ARE ENCRYPTED!
All your files (photos, databases, documents, etc) have been encrypted with RSA-2048 encryption.

1. Do not modify or try to delete any files. It will not help you to recover your data.
  
2. To decrypt your files send an email to this address: {Locky payment email}
  
3. In the letter specify what you are ready to pay for decryption. We accept payments only in Bitcoins.
  
4. You have to pay for decryption in Bitcoins because it is absolutely anonymous payment system.
  
5. We accept payments from 50 to 2 Bitcoins. When we receive your payment your files will be decrypted in 5 to 10 hours.

ATTENTION:
- Do not rename your encrypted files.
- Do not try to decrypt your data with third party software because it is impossible, and you will damage your files.
- Do not ask for help from antivirus companies because they have no key to decrypt your files.
- Do not waste your time making attempts to decrypt your files. Any attempt will make your files forever inacessible.

The ransom note aims to alarm victims and pressure them into paying quickly. By threatening permanent loss of data and warning against seeking other decryption solutions, attackers maximize chances the ransom will be paid.

Removing and recovering from Locky

If your computer gets infected with Locky ransomware, here are steps you can take:

Isolate infected systems

Disconnect infected devices from any networks or shared folders to prevent further spread of the infection.

Identify scope of infection

Determine which files and systems were impacted. This can determine if payment may be necessary for recovery.

Attempt to decrypt with recovery tools

Try scanning with antivirus software or online decryption tools to unlock files without paying ransom.

Wipe system and restore from backup

Backup data and then perform a factory reset of infected systems to remove Locky.

Pay ransom as last resort

If needed and no other options available, pay ransom to regain access to encrypted files.

Paying the ransom should be a last resort, as it encourages and funds further malware attacks. Recovery without payment is recommended if possible.

Protect systems from reinfection

Update antivirus software, install patches, and secure networks to prevent future Locky attacks.

For organizations, staff education and simulated phishing tests can help reduce risk of ransomware infection.

The future of Locky

Though Locky was one of the most successful ransomware strains, infections have declined significantly since 2018. Security experts cite several possible reasons for this:

Arrests of alleged Locky affiliate marketers

Ransomware-as-a-Service disruption
Competition from other ransomware families
Improved security and backup solutions

While Locky itself has faded, the ransomware landscape continues to evolve. New variants like Ryuk, Sodinokibi and REvil have adopted more sophisticated tactics. State-sponsored ransomware operations have also emerged.

As long as ransomware proves profitable for cybercriminals, the threat is unlikely to disappear. Users should remain cautious of suspicious emails and keep regular backups to limit potential ransomware damage.

Ongoing ransomware trends

Targeting of business networks and critical infrastructure

Double extortion with data theft and ransom
Deepfake video or audio social engineering
Ransomware offered as a subscription service

Yet while ransomware continues, so do efforts to foil these attacks. Through security awareness, proactive system protections, threat data sharing and law enforcement actions, the impact of ransomware can hopefully be mitigated.

Conclusion

Locky exemplified the massive damage potential of ransomware. By abusing weak spots in security and capitalizing on user behavior, it was able to infect hundreds of thousands of systems globally. While Locky itself has declined, its run demonstrated how profoundly disruptive ransomware can be for both individuals and organizations.

The threat of ransomware is unlikely to disappear in the near future. But understanding the tactics used by ransomware like Locky can help equip users to better secure their systems and avoid becoming the next victim.