Locky is a type of ransomware, which is a form of malware that encrypts files on a victim’s computer and demands a ransom payment in order to decrypt the files. Ransomware has emerged as a major cyber threat in recent years, with new variants like Locky being rapidly developed and deployed by cybercriminals.
What does Locky do?
The main goal of Locky is to extort money from victims by encrypting their personal files and making them inaccessible. It encrypts a wide range of file types including documents, images, videos and more. Encrypted files are appended with the .locky file extension.
Locky is spread via spam email campaigns that distribute the malware as email attachments, often masquerading as invoices or order confirmations. If the attachment is opened, Locky will be downloaded onto the victim’s computer where it can encrypt files and communicate with command and control servers operated by the attackers.
In addition to encrypting files, Locky will also attempt to encrypt Windows Shadow Volume copies to prevent file recovery. It deletes Windows recovery tools and disables certain startup processes to make it harder to remove. The ransom note directs victims to download the Tor browser and visit a payment site on the dark web to purchase decryption.
What is the impact of a Locky infection?
An infection with the Locky ransomware can have severe consequences for victims. The encryption process is rapid, encrypting hundreds of file types within minutes. This can result in the loss of important documents, photos, databases and other critical user files. Without backups, these files may be permanently inaccessible.
For businesses and organizations, a widespread Locky infection can be highly disruptive and lead to downtime or an inability to access key files needed for operations. The damage and recovery costs can be substantial. Even with backups, it takes time and resources to restore encrypted systems.
In addition to the damage done, victims must consider whether to pay the ransom demand or not. The attackers typically demand ransoms of several hundred dollars or more, payable in bitcoin or other digital currencies. There is no guarantee files will be recovered after payment.
How does Locky spread?
The primary distribution method for Locky is spam email campaigns. The malware operators send out waves of spam messages containing infected email attachments in the form of Word documents or Excel spreadsheets. When opened, these attachments download and activate Locky on the victim’s system.
The emails used in these campaigns are carefully crafted to appear legitimate, often impersonating well-known companies or contacts with the aim of tricking the recipient into opening the attachment. Subject lines may relate to orders, invoices, payment requests or shipping notices.
Locky operators have also used compromised websites and malvertising campaigns to spread the ransomware. Visitors to compromised sites may automatically download Locky, while malvertisements redirect victims to these malicious sites through tainted ads.
Who is behind Locky?
Locky first appeared in early 2016 and researchers have connected it to an established cybercriminal ransomware operation known as Dridex. Dridex operators are believed to be located in Eastern Europe and have been active since 2014. The group is known for spreading banking trojans and ransomware variants.
The Locky variant is thought to have been developed by the Dridex team based on theopen source CryptoLocker ransomware code. They likely chose to branch out into ransomware attacks due to the profit potential. Ransomware has proven to be a lucrative business model for cybercriminals.
However, it is unknown exactly who writes and maintains the Locky code. Ransomware developers and distributors tend to stay hidden in order to avoid law enforcement. It is likely that Locky operations are supported by a network of different actors playing different roles.
Notable Locky campaigns
Since its appearance, Locky ransomware has been used in many high-profile spam campaigns aiming to infect a large number of victims across the globe. Some of the major waves and developments include:
- February 2016 – The first Locky variant is observed being spread via spam campaigns sending Microsoft Word attachments.
- June 2016 – A major uptick in Locky distribution sees millions of spam messages sent out in a short period of time.
- September 2016 – Locky begins using macros in Excel spreadsheet attachments to download the malware payload.
- December 2016 – Locky shifts to using compromised websites rather than attachments to distribute malware.
- January 2017 – A new variant FixMeStinx emerges, bypassing normal warning prompts.
- September 2017 – Locky returns to spam campaigns, now with PDF attachments instead of Office documents.
- June 2018 – Researchers observe a technique allowing Locky to detect and neutralize malware analysis systems.
These campaigns have resulted in Locky becoming one of the most widely spread and successful ransomware strains to date. At its peak, millions of Locky spam emails were being sent daily to victims around the world.
Notable Locky attacks
In addition to mass spam campaigns, Locky ransomware has also been used in high-profile attacks against hospitals, government agencies and other critical infrastructure organizations. Some notable incidents include:
- Hollywood Presbyterian Medical Center – In February 2016, this Los Angeles hospital paid 40 bitcoins (around $17,000 at the time) to decrypt systems following a crippling Locky attack.
- University of Calgary – Paid CDN$20,000 ransom in June 2016 after more than 100 critical systems were impacted by Locky.
- Erie County Medical Center – Attack in April 2017 caused major disruption to hospital operations and medical record systems.
- City of Atlanta – March 2018 attack crippled many city services and systems, with cleanup costs estimated at $2.6 million.
- Norsk Hydro – Norwegian aluminum company severely impacted after Locky hit 22,000 computers across 170 sites in March 2019.
These incidents illustrate how debilitating and costly Locky attacks can be, especially for crucial infrastructure organizations. Paying the ransom, as some victims have chosen to do, further fuels the ransomware business model.
How is Locky evolving over time?
Locky has continued to evolve since its emergence, with its developers continuously making changes and introducing new capabilities to evade detection and infect more victims. Some key evolutions include:
- Use of macros in Office documents to download malware payloads without attachments.
- Leveraging compromised websites rather than attachments for distribution.
- Adding worm-like capabilities to spread internally across networks.
- Introducing ransomware-as-a-service to enable affiliate structures.
- Using packers and anti-analysis techniques to avoid detection.
- Updating encryption algorithms and evasion tactics.
- Shifting infrastructure frequently to new domains and domains.
Locky has proven adaptable, leveraging new delivery mechanisms, exploits and infrastructure. New variants are constantly under development. This is typical of ransomware, as creators constantly tweak their creations to stay ahead of defenses.
Recent Locky campaigns and developments
Locky activity declined somewhat after 2017 as other ransomware strains emerged. However, it remains an active threat. Some recent Locky ransomware campaigns and developments include:
- July 2020 – New Locky variant found being spread via brute force RDP attacks instead of spam.
- September 2020 – Researchers uncover evidence that old Locky code is being reused and rebranded for new ransomware campaigns.
- October 2020 – Phishing emails impersonating financial agencies used to spread Locky and other malware.
- December 2020 – Locky delivered through malicious Excel 4.0 documents attached to spam emails.
- February 2021 – Fake SafeDocuments tied to Locky ransomware attacks on industrial firms.
- May 2021 – Locky delivered via malvertising on high traffic sites.
- July 2021 – VMware ESXi servers infected with new Locky variant.
While not as dominant as 2017, these incidents show that Locky remains an active and evolving threat. Its operators continue to find ways to spread the malware and extract ransom from victims.
Is Locky still a cyber threat?
Although it is no longer as prolific as during 2016-2017, Locky ransomware remains an active threat for a few key reasons:
- Locky source code and builder kits are available online, allowing continued use by attackers.
- Affiliates from the original Dridex/Locky operations may still be deploying the malware.
- New cybercriminal groups reuse and repackage old Locky code.
- It is profitable – ransom payments incentivize continued distribution.
- Spam email and social engineering remain effective infection vectors.
Locky highlighted the profit potential of ransomware. Even if Locky deployments decrease, ransomware is here to stay. Criminals will continue developing new ransomware strains and campaigns as long as the business model remains lucrative.
Defending against Locky
A number of best practices can help defend against Locky ransomware attacks:
- User education – Train employees to identify and avoid suspicious emails or attachments.
- Spam filtering – Use filtering tools to block malicious emails and attachments.
- Disable macros – Block Office macros to prevent malware delivery through documents.
- Patch systems – Keep all software up-to-date to eliminate vulnerabilities.
- Limit privileges – Use account restrictions to limit damage from malware.
- Backup regularly – Maintain backups disconnected from networks.
- Monitor systems – Use endpoint detection and response tools to identify threats.
- Segment networks – Isolate and segment systems to prevent lateral movement.
Ransomware resilience requires layers of technical defenses combined with policies and user training. Preparation is key, as attacks like Locky often exploit basic security gaps.
The future of ransomware like Locky
Locky demonstrated that ransomware can be an efficient, low-risk business model for cybercriminals. New ransomware strains and campaigns will certainly continue to emerge.
Attackers are gravitating to more targeted, intricate ransomware attacks on high-value targets like critical infrastructure. Self-propagating “worm-like” ransomware is also on the rise, magnifying damage. Ransomware is increasingly sold as a service, lowering barriers to entry.
At the same time, ransomware defenses are improving as organizations recognize the threat. Better backups, user awareness and systems segmentation can restrict damage and reduce incentives to pay ransom. Law enforcement efforts also help deter some attackers.
In the ongoing battle between ransomware attackers and defenders, expect the ransomware scourge to continue evolving in sophistication, scale and complexity. But prepared organizations can certainly minimize their risk and business impact.
Conclusion
Locky ransomware exemplifies the serious cyber threat posed by ransomware. By encrypting files and demanding ransom, it can significantly disrupt both individual users and major organizations. Awareness, caution and proactive defenses are essential to protect against ransomware attacks.
While Locky deployments have slowed down, the ransomware business model endures. Ransomware like Locky will remain a dangerous cyber risk for the foreseeable future. However, a combination of security technology, policies, vigilance and cyber resilience can help significantly reduce ransomware damage and disruption.